EP3542266B1 - Collecting and processing context attributes on a host - Google Patents

Collecting and processing context attributes on a host Download PDF

Info

Publication number
EP3542266B1
EP3542266B1 EP17825331.6A EP17825331A EP3542266B1 EP 3542266 B1 EP3542266 B1 EP 3542266B1 EP 17825331 A EP17825331 A EP 17825331A EP 3542266 B1 EP3542266 B1 EP 3542266B1
Authority
EP
European Patent Office
Prior art keywords
examples
engine
identifier
service
context
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP17825331.6A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP3542266A1 (en
Inventor
Laxmikant Vithal GUNDA
Vinith PODDUTURI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nicira Inc
Original Assignee
Nicira Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/650,294 external-priority patent/US10802858B2/en
Priority claimed from US15/796,875 external-priority patent/US10805332B2/en
Application filed by Nicira Inc filed Critical Nicira Inc
Priority to EP23179615.2A priority Critical patent/EP4231146A1/en
Priority claimed from PCT/US2017/065495 external-priority patent/WO2018118465A1/en
Publication of EP3542266A1 publication Critical patent/EP3542266A1/en
Application granted granted Critical
Publication of EP3542266B1 publication Critical patent/EP3542266B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • Middlebox services have historically been hardware appliances that are implemented at one or more points in a network topology in an enterprise or a datacenter. With the advent of software defined networking (SDN) and network virtualization, traditional hardware appliances do not take advantage of the flexibility and control that is provided by SDN and network virtualization. Accordingly, in recent years, some have suggested various ways to provide middlebox services on hosts. Most of these middlebox solutions, however, do not take advantage of the rich-contextual data that can be captured for each data message flow on the host. One reason for this is that existing techniques do not provide an efficient, distributed scheme for filtering the thousands of captured-contextual attributes in order to efficiently process service rules that are defined in terms of much smaller sets of contextual attributes.
  • Some examples provide an architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers.
  • the machines are virtual machines (VMs) in some examples, containers in other examples, or a mix of VMs and containers in still other examples.
  • VMs virtual machines
  • a guest-introspection (GI) agent is executed on each machine from which contextual attributes need to be captured.
  • these examples also execute a context engine and one or more attribute-based service engines on each host computer.
  • the context engine of that host collects contextual attributes associated with network events and/or process events on the machines.
  • the context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules that specify context-based services to perform on processes executing on the machines and/or data message flows sent by or received for the machines.
  • the context engine of a host collects contextual attributes from the GI agents of the machines on that host through a variety of different ways. For instance, in some examples, the GI agent on a machine registers hooks (e.g., callbacks) with one or more modules (e.g., kernel-space modules or user-space modules) in the machine's operating system for all new network connection events and all new process events.
  • hooks e.g., callbacks
  • modules e.g., kernel-space modules or user-space modules
  • the GI agent Upon occurrence of a new network connection event, the GI agent receives a callback from the OS and based on this callback, provides a network event identifier to the context engine.
  • the network event identifier provides a set of attributes pertaining to the network event. These network event attributes in some examples include a five-tuple identifier (i.e., source port and IP address, destination port and IP address, and protocol) of the requested network connection, process identifier of the process requesting the network connection, a user identifier associated with the requesting process, and a group identifier (e.g., an activity directory (AD) identifier) associated with the requesting process.
  • AD activity directory
  • the context engine directs the GI agent to collect from the OS modules additional process parameters that are associated with the process identifier (ID) that it received with the network event.
  • additional process parameters in some examples include the process name, the process hash, the process path with command line parameters, the process network connection, the process-loaded modules, and one or more process consumption parameters specifying the process' consumption of one or more resources of the machine (e.g., central processing unit consumption, network consumption, and memory consumption).
  • the context engine receives all the process parameters associated with a network event in one shot when the GI agent reports the network event to the context engine.
  • the OS on a machine in some examples holds up a new network event (i.e., does not start sending data messages for the network event) until the GI agent on the machine directs it to proceed with processing the network event.
  • the GI agent only allows the OS to proceed with processing the network event after the context engine has collected all the needed attributes for this event (e.g., after receiving a message from the context engine that specifies that it has received all the process or network attributes that it needs for the new network event).
  • the context engine uses the process hash that it receives from the GI agent to identify the name and version of the application (i.e., the software product) to which the process belongs. To do this, the context engine in some examples stores process hashes and associated application names/versions, compares the process hash that it receives from the GI agent with the stored process hashes to identify a matching hash, and then uses the application name/version of the matching hash as the application name and version of the process associated with the event.
  • the context engine obtains the process hashes and application names/versions from one or more network or compute managers, which may operate on another device or computer.
  • the context engine provides the hash associated with a process identifier to a network or compute manager, which then matches this hash to its process hash records and provides the application name/version of the associated process to the context engine.
  • the context engine can provide the name and version attributes to the attribute-based service engines, which can use this information (i.e., the application name and/or version) to identify the service rule to enforce.
  • the GI agent Upon occurrence of a process event, the GI agent receives a callback from the OS and based on this callback, provides a process event identifier to the context engine.
  • the process event identifier provides a set of attributes pertaining to the process event. This set of attributes includes the process identifier in some examples. In some examples, this set also includes a user identifier and/or a group identifier (e.g., an activity directory (AD) identifier).
  • AD activity directory
  • the GI agent provides all the process parameters (e.g., process identifier, user ID, group ID, process name, process hash, loaded module identifiers, consumption parameters, etc.) associated with a process event to the context engine when it reports the process event to the context engine.
  • the context engine directs the GI agent to collect from the OS modules additional process parameters that are associated with the process identifier that context engine received with the process event. These additional process parameters in some examples are the same (e.g., process name, process hash, loaded module identifiers, consumption parameters, etc.) as the process parameters mentioned above for reported network events.
  • the context engine of some examples augments the contextual attributes that it receives from the GI agent with contextual attributes that it receives from other modules that execute on the host. For instance, in some examples, a deep packet inspection (DPI) module executes on the host.
  • the context engine or another module e.g., a firewall engine directs this DPI engine to examine data messages of a data message flow associated with a process ID to identify the type of traffic being sent in these data messages by the application associated with the process ID.
  • DPI deep packet inspection
  • the identified traffic-type identity is today commonly referred to as the AppID.
  • the context engine combines the AppID that it obtains for a network event with other context attributes that it identifies for this event (e.g., by using the event's five-tuple identifier to associate the AppID with the collected contextual attributes), in order to produce a very rich set of attributes that the service engines can then use to perform their services.
  • This rich set of attributes provides true application identity (i.e., the application name, application version, application traffic type, etc.), based on which the service engines can perform their services.
  • a threat detection module executes on the host computer along with the context engine.
  • the context engine obtains a set of process parameters that specify that a process has started on a machine or is sending data messages on the machine
  • the context engine in some examples provides one or more process parameters (e.g., process hash, application name, application version, AppID, other process parameters, etc.) to the threat detection module.
  • This threat detection module then generates a threat level indicator (e.g., low, medium, high, etc.) for the identified process and provides this threat level indicator to the context engine.
  • the context engine then provides this threat level indicator to one or more service engines as another contextual attribute for performing services on a new process event or the data messages of a new network event; a service engine can use the threat level indicator as another attribute to identify service rules to enforce.
  • the context engine employs a push model in some examples to distribute the collected contextual attributes to the service engines, while it employs a pull model in other examples to distribute these attributes to the service engines.
  • the content engine employs a push model for some service engines and a pull model for other service engines.
  • the context engine distributes to a service engine the contextual attributes that it collects for a process event or a network event with the process's identifier and/or the network event's flow identifier (e.g., the flow's five-tuple identifier).
  • the context engine distributes to the service engine only the contextual attributes that are relevant for that service engine's service rules.
  • the context engine receives queries from a service engine for the contextual attributes that the context engine has collected for a particular process or network connection.
  • the context engine receives a process ID or a flow identifier (e.g., five-tuple identifier) with a query from the service engine, and uses the received identifier to identify the attribute set that it has to provide to the service engine.
  • the context engine generates a service token (also called a service tag) for the collection of attributes that are relevant for the service engine, and provides this service token to another module (e.g., the GI agent or another module on the host) to pass along to the service engine (e.g., pass along in a data message's encapsulating header).
  • the service engine extracts the service token and provides this service token to the context engine in order to identify the contextual attributes that the context engine has to provide to the service engine.
  • the context engine in some examples provides contextual-attributes to several context-based service engines on its host computer.
  • the context engine and the service engines are all kernel space components of a hypervisor on which multiple VMs or containers execute.
  • the context engine and/or one or more service engines are user space processes.
  • one or more service engines in some examples are service VMs (SVMs).
  • the attribute-based service engines include (1) a firewall engine that performs context-based firewall operations on data messages sent by or received for the machines, (2) a process control engine that enforces context-based process control operations (e.g., process assessment and termination operations) on processes started on the machines, (3) a load-balancing engine that performs context-based load-balancing operations to distribute the data message flows from the machines to different destination or service nodes in one or more destination/service node clusters, and (4) an encryption engine that performs context-based encryption or decryption operations to encrypt data message from the machines, or to decrypt data messages received for the machines.
  • a firewall engine that performs context-based firewall operations on data messages sent by or received for the machines
  • a process control engine that enforces context-based process control operations (e.g., process assessment and termination operations) on processes started on the machines
  • a load-balancing engine that performs context-based load-balancing operations to distribute the data message flows from the machines to different destination or service nodes in one or more destination/service no
  • Another context-based service engine in some examples is a discovery service engine.
  • the discovery engine captures new process events and new network events from the context engine, along with the contextual attributes that the context engine collects for these process and network events.
  • the discovery service engine then relays these events and their associated contextual attributes to one or more network managers (e.g., servers) that provide a management layer that allows network administrators to visualize events in a datacenter and specify policies for compute and network resources in the datacenter.
  • network managers e.g., servers
  • the discovery module of some examples performs some pre-processing of these events and attributes. For example, in some examples, the discovery module filters some of the network or process events, while aggregating some or all of these events and their attributes. Also, in some examples, the discovery engine directs the context engine to collect additional contextual attributes for process or network events through the GI agents or other modules (e.g., the DPI engine or threat detection engine), or to capture other types of events, such as file events and system events.
  • the GI agents or other modules e.g., the DPI engine or threat detection engine
  • the discovery engine directs the context engine to build an inventory of the applications installed on the machines, and to periodically refresh this inventory.
  • the discovery engine might so direct the context engine at the request of the management plane, or based on operational configurations that the management or control plane specifies for the discovery engine.
  • the context engine in some examples has each GI agent on each of its host's machine discover all installed processes on the machine, and all running processes and services.
  • the discovery engine of a host computer in a datacenter provides this information to the network/compute managers in the management plane.
  • the management plane collects contextual attributes from sources other than the host computer discovery and context engines. For instance, in some examples, the management plane collects from one or more servers compute context (e.g., cloud context from cloud vendors, or compute virtualization context by datacenter virtualization software), identity context from directory service servers, mobility context from mobility management servers, endpoint context from DNS (domain name server) and application inventory servers, network context (e.g., virtual network context) from network virtualization server, etc.
  • compute context e.g., cloud context from cloud vendors, or compute virtualization context by datacenter virtualization software
  • identity context from directory service servers
  • mobility context from mobility management servers
  • endpoint context from DNS (domain name server) and application inventory servers
  • network context e.g., virtual network context
  • the management plane can provide a user interface to the network/compute administrators to visualize the compute and network resources in the datacenter. Moreover, the collected contextual attributes allow the management plane to provide controls through this user interface for these administrators to specify context-based service rules and/or policies. These service rules/policies are then distributed to the host computers so that service engines on these computers can perform context-based service operations.
  • the contextual information e.g., information from the discovery and context engines and/or information from other context sources
  • the management plane can provide a user interface to the network/compute administrators to visualize the compute and network resources in the datacenter.
  • the collected contextual attributes allow the management plane to provide controls through this user interface for these administrators to specify context-based service rules and/or policies. These service rules/policies are then distributed to the host computers so that service engines on these computers can perform context-based service operations.
  • Some examples of the invention provide a novel architecture for capturing contextual attributes on host computers that execute one or more machines, and for consuming the captured contextual attributes to perform services on the host computers.
  • Some examples execute a guest-introspection (GI) agent on each machine from which contextual attributes need to be captured.
  • GI guest-introspection
  • these examples also execute a context engine and one or more attribute-based service engines on each host computer.
  • the context engine of that host collects contextual attributes associated with network events and/or process events on the machines.
  • the context engine then provides the contextual attributes to the service engines, which, in turn, use these contextual attributes to identify service rules that specify context-based services to perform on processes executing on the machines and/or data message flows sent by or received for the machines.
  • data messages refer to a collection of bits in a particular format sent across a network.
  • data message may be used herein to refer to various formatted collections of bits that may be sent across a network, such as Ethernet frames, IP packets, TCP segments, UDP datagrams, etc.
  • L2, L3, L4, and L7 layers are references respectively to the second data link layer, the third network layer, the fourth transport layer, and the seventh application layer of the OSI (Open System Interconnection) layer model.
  • Figure 1 illustrates a host computer 100 that uses the context engine and context-based service engines of some examples of the invention.
  • the host computer 100 includes several data compute nodes 105, a context engine 110, several context-based service engines 130, a threat detector 132, and a deep packet inspection (DPI) module 135.
  • the context-based service engines include a discovery engine 120, a process control engine 122, an encryption engine 124, a load balancer 126 and a firewall engine 128. It also includes context-based service rule storages 140, and an attribute storage 145.
  • the DCNs are endpoint machines executing on the host computer 100.
  • the DCNs are virtual machines (VMs) in some examples, containers in other examples, or a mix of VMs and containers in still other examples.
  • a GI agent 150 executes in order to collect contextual attributes for the context engine 110.
  • the context engine 110 collects contextual attributes from the GI agents 150 of the DCNs on its host through a variety of different ways. For instance, in some examples, the GI agent on a DCN registers hooks (e.g., callbacks) with one or more modules (e.g., kernel-space modules or user-space modules) in the DCN's operating system for all new network connection events and all new process events.
  • hooks e.g., callbacks
  • modules e.g., kernel-space modules or user-space modules
  • the GI agent 150 Upon occurrence of a new network connection event, the GI agent 150 receives a callback from its DCN's OS and based on this callback, provides a network event identifier to the context engine 110.
  • the network event identifier provides a set of attributes pertaining to the network event. These network event attributes in some examples include a five-tuple identifier (i.e., source port and IP address, destination port and IP address, and protocol) of the requested network connection, process identifier of the process requesting the network connection, a user identifier associated with the requesting process, and a group identifier (e.g., an activity directory (AD) identifier) associated with the requesting process.
  • AD activity directory
  • the context engine directs the GI agent 150 to collect from the OS modules additional process parameters that are associated with the process identifier (ID) that it received with the network event.
  • additional process parameters in some examples include the process name, the process hash, the process path with command line parameters, the process network connection, the process-loaded modules, and one or more process consumption parameters specifying the process' consumption of one or more resources of the machine (e.g., central processing unit consumption, network consumption, and memory consumption).
  • the context engine 110 receives all the process parameters associated with a network event in one shot when the GI agent reports the network event to the context engine.
  • the OS of the DCN in some examples holds up a new network event (i.e., does not start sending data messages for the network event) until the GI agent 150 on that DCN directs it to proceed with processing the network event.
  • the GI agent 150 only allows the OS to proceed with processing the network event after the context engine 110 has collected all the needed attributes for this event (e.g., after receiving a message from the context engine that specifies that it has received all the process or network attributes that it needs for the new network event).
  • the context engine 110 uses the process hash that it receives from the GI agent 150 to identify the name and version of the application (i.e., the software product) to which the process belongs. To do this, the context engine 110 in some examples stores process hashes and associated application names/versions, compares the process hash that it receives from the GI agent with the stored process hashes to identify a matching hash, and then uses the application name/version of the matching hash as the application name and version of the process associated with the event.
  • the context engine 110 obtains the process hashes and application names/versions from one or more network or compute managers, which may operate on another device or computer.
  • the context engine provides the hash associated with a process identifier to a network or compute manager, which then matches this hash to its process hash records and provides the application name/version of the associated process to the context engine.
  • the context engine 110 can provide the name and version attributes to the attribute-based service engines, which can use this information (i.e., the application name and/or version) to identify the service rule to enforce.
  • the DCN's GI agent 150 Upon occurrence of a process event on a DCN 105, the DCN's GI agent 150 in some examples receives a callback from the DCN's OS and based on this callback, provides a process event identifier to the context engine 110.
  • the process event identifier provides a set of attributes pertaining to the process event. This set of attributes includes the process identifier in some examples. In some examples, this set also includes a user identifier and/or a group identifier (e.g., an activity directory (AD) identifier).
  • AD activity directory
  • the GI agent provides all the process parameters (e.g., process identifier, user ID, group ID, process name, process hash, loaded module identifiers, consumption parameters, etc.) associated with a process event to the context engine when it reports the process event to the context engine.
  • the context engine directs the GI agent to collect from the OS modules additional process parameters that are associated with the process identifier that context engine received with the process event. These additional process parameters in some examples are the same (e.g., process name, process hash, loaded module identifiers, consumption parameters, etc.) as the process parameters mentioned above for reported network events.
  • the context engine 110 of some examples augments the contextual attributes that it receives from the GI agents 150 with contextual attributes that it receives from other modules that execute on the host.
  • the DPI module 135 also referred to as the deep packet inspector
  • the threat detector 132 also referred to as the threat inspection module
  • a DPI module is directed by the context engine 110 or another module (e.g., a firewall engine 128) to examine data messages of a data message flow associated with a process ID to identify the type of traffic being sent in these data messages by the application associated with the process ID.
  • the identified traffic-type identity is today commonly referred to as the AppID.
  • the context engine combines the AppID that it obtains for a network event with other context attributes that it identifies for this event, in order to produce a very rich set of attributes that the service engines can then use to perform their services.
  • This rich set of attributes provides true application identity (i.e., the application name, application version, application traffic type, etc.), based on which the service engines can perform their services.
  • the context engine 110 uses a network event's five-tuple identifier to associate the AppID for this event's data message flow with the contextual attributes that the context engine collects from the GI agent of the DCN associated with the data message flow (e.g., of the DCN from which the data message flow emanates).
  • the threat detector 132 provides a threat level indicator that specifies the threat level associated with a particular application that is executing on a DCN.
  • the context engine obtains a set of process parameters that specify that a process has started on a machine or is sending data messages on the machine, the context engine in some examples provides one or more process parameters (e.g., process hash, application name, application version, AppID, other process parameters, etc.) to the threat detection module.
  • process parameters e.g., process hash, application name, application version, AppID, other process parameters, etc.
  • This threat detection module then generates a threat level indicator (e.g., low, medium, high, etc.) for the identified process and provides this threat level indicator to the context engine.
  • the threat detector assigns a threat score to an application running on a DCN based on various application behavioral factors, such as (1) whether it does poor input validation, (2) whether it passes authentication credentials over unencrypted network links, (3) whether it uses weak password and account policies, (4) whether it stores configuration secrets in clear text, (5) whether it can transfer files, (6) whether the application is known to propagate malware, (7) whether the application is purposely evasive, (8) whether the application has known vulnerabilities, etc.
  • the threat detector is a third-party whitelisting application, such as the Bit9.
  • the context engine in some examples provides the threat level indicator produced by the threat detector 132 to one or more service engines as another contextual attribute for performing services on a new process event or the data messages of a new network event; a service engine can use the threat level indicator as another attribute to identify service rules to enforce.
  • the context engine 110 stores the contextual attributes that it collects for network events and process events in the attribute storage 145.
  • the context engine stores each set of contextual attributes with one or more network event identifiers and/or process identifiers.
  • the context engine 110 stores the collected contextual attributes for a new process event with the process identifier, or with a reference to this identifier.
  • the context engine uses the process identifier to provide the collected context attributes to a service engine (e.g., the process control engine 122) that performs a service for the process event.
  • a service engine e.g., the process control engine 122
  • the context engine in some examples stores the collected context attributes for a new network connection event with the five-tuple identifier of the network connection event, or with a reference to this five-tuple identifier.
  • the context engine provides to a service engine the context attributes for a network event along with this event's five-tuple identifier.
  • the data messages for this network event will use this five-tuple identifier, and hence the service engine can use the supplied five-tuple identifier to identify the context attributes associated with a data message flow.
  • the context engine employs a push model in some examples to distribute the collected contextual attributes to the service engines 130, while in other examples this engine employs a pull model to distribute these attributes to the service engines 130.
  • the context engine employs a push model for some service engines and a pull model for other service engines.
  • the context engine in some examples distributes to a service engine the contextual attributes that it collects for a process event or a network event with the process's identifier and/or the network event's flow identifier (e.g., the flow's five-tuple identifier).
  • the context engine distributes to the service engine only the contextual attributes that are relevant for that service engine's service rules.
  • the context engine compares each collected attribute in a set of collected attributes (e.g., for a network event or a process event) with a list of attributes used by a service engine's service rules, and discards each collected attribute that is not used by the service rules.
  • the context engine then provides to the service engine only the subset of collected attributes (in the set of collected attributes) that is being used by the engine's service rules.
  • the service engines perform this filtering operation to discard the contextual attributes that are not needed.
  • the context engine receives queries from a service engine for the contextual attributes that the context engine has collected for a particular process or network connection.
  • the context engine receives a process ID or a flow identifier (e.g., five-tuple identifier) with a query from the service engine, and uses the received identifier to identify the attribute set that it has to provide to the service engine.
  • a process ID or a flow identifier e.g., five-tuple identifier
  • the context engine generates a service token (also called a service tag) for the collection of attributes that are relevant for the service engine, and provides this service token to another module (e.g., the GI agent or another module on the host) to pass along to the service engine (e.g., pass along in a data message's encapsulating header).
  • the service engine then extracts the service token and provides this service token to the context engine in order to identify the contextual attributes that the context engine has to provide to the service engine.
  • the context engine 110 and the service engines 130 are all kernel space components of a hypervisor on which multiple VMs or containers execute, as further described below by reference to Figure 2 .
  • the context engine and/or one or more service engines are user space processes.
  • one or more service engines in some examples are service VMs (SVMs).
  • one or more service engines are in ingress datapaths and/or egress datapaths of DCNs, in order to receive access to data message flows to and from the DCNs to perform services on these data message flow.
  • one or more other modules on the host 100 intercept data messages from the ingress/egress datapaths and forward these messages to one or more service engines for these engines to perform services on the data messages.
  • One such approach will be described below by reference to Figure 2 .
  • the service engines 130 include the discovery engine 120, the process control engine 122, the encryption engine 124, the load balancer 126 and the firewall engine 128. Each of these service engines 130 has an attribute-based, service-rule storage.
  • Figure 1 collectively represents all the context-based, service-rule storages of these service engines with the context-based service rule storage 140 in order to simplify the illustration that is presented in this figure.
  • each service rule in the context-based service rule storage 140 has a rule identifier for matching to a process or flow identifier to identify the rule to enforce for a process or network event.
  • the context-based service rule storage 140 is defined in a hierarchical manner to ensure that a rule check will match a higher priority rule before matching a lower priority rule.
  • the context-based service rule storage 140 contains a default rule that specifies a default action for any rule check, as further explained below.
  • the firewall engine 128 performs firewall operations on data messages sent by or received for the DCNs 105. These firewall operations are based on firewall rules in the context-based service rule storage 140. Some of the firewall rules are defined purely in terms of layer 2-layer 4 attributes, e.g., in terms of five-tuple identifiers. Other firewall rules are defined in terms of contextual attributes that can include one or more of the collected contextual attributes, such as application names, application versions, AppID, resource consumption, threat level, user ID, group ID, etc. Yet other firewall rules in some examples are defined in terms of both L2-L4 parameters and contextual attributes. As the firewall engine 128 can resolve firewall rules that are defined by reference to contextual attributes, this firewall engine is referred to as a context-based firewall engine.
  • the context-based firewall engine 128 can allow, block or re-route data message flows based on any number of contextual attributes, because its firewall rules can be identified in terms of any combination of the collected contextual attributes. For example, this firewall engine can block all email traffic from chrome.exe when the user is part of a Nurse user group, when one firewall rule specifies that data messages should be blocked when the flow is associated with the Nurse group ID, the AppID identifies the traffic type as email, and the application name is Chrome.
  • context based firewall rules can block data message flows associated with video conferences, online video viewing, or use of old versions of software. Examples of such rules would block all Skype traffic, block all YouTube video traffic, block all HipChat audio/video conferences when application version number is older than a particular version number, block data message flows for any application with a high threat score, etc.
  • the load-balancing engine 126 performs load-balancing operations on data messages sent by the DCNs 105 to distribute the data message flows to different destination or service nodes in one or more destination/service node clusters. These load-balancing operations are based on load-balancing rules in the context-based service rule storage 140.
  • each load-balancing rule can specify one or more load-balancing criteria (e.g. a round robin criterion, a weighted round-robin criteria, etc.) for distributing traffic, and each criteria can be limited to a particular time range.
  • a load-balancing operation involves replacing a data message flow's destination network address (e.g., the destination IP address, the destination MAC address, etc.) with another destination network address.
  • load-balancing rules are defined purely in terms of L2-L4 attributes, e.g., in terms of five-tuple identifiers.
  • Other load-balancing rules are defined in terms of contextual attributes that can include one or more of the collected contextual attributes, such as application names, application versions, AppID, resource consumption, threat level, user ID, group ID, etc.
  • Yet other load-balancing rules in some examples are defined in terms of both L2-L4 parameters and contextual attributes.
  • this load-balancing engine is referred to as a context-based load balancer.
  • the context-based load balancer 126 can distribute the data message flows based on any number of contextual attributes, because its load-balancing rules can be identified in terms of any combination of the collected contextual attributes.
  • the data distribution of the load balancer 126 can be based on any combination of user and application data. Examples of such load-balancing operations include: (1) distributing data message flows associated with the Finance department on all load-balancing pools, (2) redirecting all the Finance department's traffic to another pool when the primary pool for this department is down to make this department's traffic highly available, and (3) making all traffic associated with the Doctor's user group highly available.
  • the load-balancing rules can also be defined in terms of collected resource consumption, in order to distribute traffic to provide more or less resources to applications that consume a lot of resources on the DCNs.
  • the encryption engine 124 performs encryption/decryption operations (collectively referred to as encryption operations) on data messages sent by or received for the DCNs 105. These encryption operations are based on encryption rules in the context-based service rule storage 140. In some examples, each of these rules includes an encryption/decryption key identifier, which the encryption engine can use to retrieve an encryption/decryption key from a key manager on the host or operating outside of the host. Each encryption rule also specifies in some examples the type of encryption/decryption operation that the encryption module has to perform.
  • Each encryption rule also has a rule identifier.
  • the rule identifiers are defined purely in terms of L2-L4 attributes, e.g., in terms of five-tuple identifiers.
  • Other encryption rules are defined in terms of contextual attributes that can include one or more of the collected contextual attributes, such as application names, application versions, AppID, resource consumption, threat level, user ID, group ID, etc.
  • Yet other encryption rules in some examples are defined in terms of both L2-L4 parameters and contextual attributes.
  • this encryption engine is referred to as a context-based encryption engine.
  • the context-based encryption module 124 can encrypt or decrypt the data message flows based on any number of contextual attributes because its encryption rules can be identified in terms of any combination of the collected contextual attributes.
  • the encryption/decryption operation of the encryption engine 124 can be based on any combination of user and application data. Examples of such encryption operations include: (1) encrypt all traffic from Outlook (started on any machine) to Exchange Server, (2) encrypt all communication between applications in a three tier Webserver, Application Server and Database Server, (3) encrypt all traffic originating from the Administrators Active Directory group, etc.
  • the process control engine 122 enforces context-based process control operations (e.g., process assessment and termination operations) on processes started on the DCNs 105.
  • context engine 110 receives a new process event from a GI agent 150 of a DCN, it provides the process parameters associated with this process event to the process control engine 122.
  • This engine uses the received set of process parameters to examine its context-based service rule storage 140 to identify a matching context-based, process-control rule.
  • the process control engine 122 can direct the context engine to direct the GI agent of the DCN to perform a process-control operation on a process.
  • process-control operations include (1) terminating a video conference application that has a particular version number, (2) terminating a browser that is displaying YouTube traffic, and (3) terminating applications that have a high threat level score.
  • the discovery engine 120 is another context-based service engine.
  • the discovery engine 120 captures new process events and new network events from the context engine, along with the contextual attributes that the context engine collects for these process and network events.
  • the discovery service engine then relays these events and their associated contextual attributes to one or more network managers (e.g., servers) that provide a management layer that allows network administrators to visualize events in a datacenter and specify policies for compute and network resources in the datacenter.
  • network managers e.g., servers
  • the discovery module of some examples performs some pre-processing of these events and attributes. For example, in some examples, the discovery module filters some of the network or process events, while aggregating some or all of these events and their attributes. Also, in some examples, the discovery engine 120 directs the context engine 110 to collect additional contextual attributes for process or network events through the GI agents 150 or other modules (e.g., the DPI engine or threat detection engine), or to capture other types of events, such as file events and system events.
  • the GI agents 150 or other modules e.g., the DPI engine or threat detection engine
  • the discovery engine directs the context engine to build an inventory of the applications installed on the machines, and to periodically refresh this inventory.
  • the discovery engine might so direct the context engine at the request of the management plane, or based on operational configurations that the management or control plane specifies for the discovery engine.
  • the context engine in some examples has each GI agent on each of its host's machine discover all installed processes on the machine, and all running processes and services.
  • the discovery engine of a host computer in a datacenter provides this information to the network/compute managers in the management plane.
  • the management plane collects contextual attributes from sources other than the host computer discovery and context engines. For instance, in some examples, the management plane collects from one or more servers compute context (e.g., cloud context from cloud vendors, or compute virtualization context by datacenter virtualization software), identity context from directory service servers, mobility context from mobility management servers, endpoint context from DNS (domain name server) and application inventory servers, network context (e.g., virtual network context from network virtualization server), etc.
  • compute context e.g., cloud context from cloud vendors, or compute virtualization context by datacenter virtualization software
  • identity context from directory service servers
  • mobility context from mobility management servers mobility context from mobility management servers
  • endpoint context from DNS domain name server
  • application inventory servers e.g., virtual network context from network virtualization server
  • the management plane can provide a user interface to the network/compute administrators to visualize the compute and network resources in the datacenter. Moreover, the collected contextual attributes allow the management plane to provide controls through this user interface for these administrators to specify context-based service rules and/or policies. These service rules/policies are then distributed to the host computers so that service engines on these computers can perform context-based service operations.
  • the contextual information e.g., information from the discovery and context engines and/or information from other context sources
  • the management plane can provide a user interface to the network/compute administrators to visualize the compute and network resources in the datacenter.
  • the collected contextual attributes allow the management plane to provide controls through this user interface for these administrators to specify context-based service rules and/or policies. These service rules/policies are then distributed to the host computers so that service engines on these computers can perform context-based service operations.
  • the same service engine 130 performs the same type of service (e.g., a firewall service) based on service rules that can be defined in terms of message flow identifiers (e.g., five-tuple identifiers) or in terms of collected contextual attributes (e.g., AppID, threat level, user identifier, group identifier, application name/version, etc.) associated with the data message flows.
  • service rules can be defined in terms of message flow identifiers (e.g., five-tuple identifiers) or in terms of collected contextual attributes (e.g., AppID, threat level, user identifier, group identifier, application name/version, etc.) associated with the data message flows.
  • different service engines provide the same type of service based on the message flow identifiers (e.g., five-tuple identifiers) and based the collected contextual attributes of the data message flows.
  • some examples use one flow-based firewall engine that performs firewall operations based on rules defined in terms of flow identifiers, and another context-based firewall engine that performs firewall operations based on rules defined in terms of context attributes (e.g., AppID, threat level, user identifier, group identifier, application name/version, etc.).
  • context attributes e.g., AppID, threat level, user identifier, group identifier, application name/version, etc.
  • Figure 2 illustrates a more-detailed example of a host computer 200 that in some examples is used to establish a distributed architecture for configuring and performing context-rich, attribute-based services in a datacenter.
  • This host computer 200 includes many of the same components as host computer 100, such as context engine 110, service engines 130, threat detector 132, DPI module 135, context-based service rule storage 140, and context-attribute storage 145.
  • the service engines 130 in Figure 2 include the discovery engine 120, the process control engine 122, the encryption engine 124, the load balancer 126 and the firewall engine 128.
  • the DCNs are VMs 205 that execute on a hypervisor.
  • the host computer 200 includes a software forwarding element 210, an attribute-mapping storage 223, a connection state cache storage 225, a MUX (multiplexer) 227, and a context-engine policy storage 143.
  • the context engine 110, the software forwarding element 210, the service engines 130, the context-based service rule storages 140, the connection state cache storage 225, the context-engine policy storage 143, and the MUX 227 operate in the kernel space of the hypervisor, while the VMs 205 operate in the hypervisor's user space.
  • one or more service engines are user space modules (e.g., are service VMs).
  • the VMs 205 serve as data end points in the datacenter. Examples of such machines include webservers, application servers, database servers, etc. In some cases, all the VMs belong to one entity, e.g., an enterprise that operates the host. In other cases, the host 200 operates in a multi-tenant environment (e.g., in a multi-tenant data center), and different VMs 205 may belong to one tenant or to multiple tenants.
  • Each VM 205 includes a GI agent 250 that interacts with the context engine 110 to provide context attribute sets to this engine, and to receive instructions and queries from this engine.
  • the interactions between the GI agents 250 and the context engine 110 are similar to the interactions described above between the GI agents 150 and the context engine 110. However, as shown in Figure 2 , all the communication between the context engine 110 and the GI agents 250 in some examples are relayed through the MUX 227.
  • One example of such a mux is the mux that is used by the Endpoint Security (EPSec) platform of ESX hypervisors of VMware, Inc.
  • EPSec Endpoint Security
  • the GI agents communicate with the MUX 227 through a fast communication channel (such as VMCI channel of ESX).
  • this communication channel is a shared memory channel.
  • the attributes collected by the context engine 110 from the GI agents 250 in some examples include a rich group of parameters (e.g., layer 7 parameters, process identifiers, user identifiers, group identifiers, process name, process hash, loaded module identifiers, consumption parameters, etc.)
  • each VM 205 also includes a virtual network interface card (VNIC) 255 in some examples.
  • VNIC virtual network interface card
  • Each VNIC is responsible for exchanging messages between its VM and the software forwarding element (SFE) 210.
  • SFE software forwarding element
  • Each VNIC connects to a particular port 260 of the SFE 210.
  • the SFE 210 also connects to a physical network interface card (NIC) (not shown) of the host.
  • NIC physical network interface card
  • the VNICs are software abstractions created by the hypervisor of one or more physical NICs (PNICs) of the host.
  • the SFE 210 maintains a single port 260 for each VNIC of each VM.
  • the SFE 210 connects to the host PNIC (through a NIC driver (not shown)) to send outgoing messages and to receive incoming messages.
  • the SFE 210 is defined to include a port 265 that connects to the PNIC's driver to send and receive messages to and from the PNIC.
  • the SFE 210 performs message-processing operations to forward messages that it receives on one of its ports to another one of its ports.
  • the SFE tries to use data in the message (e.g., data in the message header) to match a message to flow based rules, and upon finding a match, to perform the action specified by the matching rule (e.g., to hand the message to one of its ports 260 or 265, which directs the message to be supplied to a destination VM or to the PNIC).
  • data in the message e.g., data in the message header
  • the action specified by the matching rule e.g., to hand the message to one of its ports 260 or 265, which directs the message to be supplied to a destination VM or to the PNIC.
  • the SFE 210 is a software switch, while in other examples it is a software router or a combined software switch/router.
  • the SFE 210 in some examples implements one or more logical forwarding elements (e.g., logical switches or logical routers) with SFE executing on other hosts in a multi-host environment.
  • a logical forwarding element in some examples can span multiple hosts to connect VMs that execute on different hosts but belong to one logical network.
  • Different logical forwarding elements can be defined to specify different logical networks for different users, and each logical forwarding element can be defined by multiple software forwarding elements on multiple hosts. Each logical forwarding element isolates the traffic of the VMs of one logical network from the VMs of another logical network that is serviced by another logical forwarding element. A logical forwarding element can connect VMs executing on the same host and/or different hosts.
  • the SFE extracts from a data message a logical network identifier (e.g., a VNI) and a MAC address. The SFE in these examples uses the extracted VNI to identify a logical port group, and then uses the MAC address to identify a port within the port group.
  • a logical network identifier e.g., a VNI
  • Software switches are sometimes referred to as virtual switches because they operate in software and they provide the VMs with shared access to the PNIC(s) of the host.
  • software switches are referred to as physical switches because they are items in the physical world.
  • This terminology also differentiates software switches from logical switches, which are abstractions of the types of connections that are provided by the software switches.
  • VXLAN provides one manner for creating such logical switches. The VXLAN standard is described in Mahalingam, Mallik; Dutt, Dinesh G.; et al. (2013-05-08), VXLAN: A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks, IETF.
  • the ports of the SFE 210 in some examples include one or more function calls to one or more modules that implement special input/output (I/O) operations on incoming and outgoing messages that are received at the ports.
  • I/O operations that are implemented by the ports 260 include ARP broadcast suppression operations and DHCP broadcast suppression operations, as described in U.S. Patent 9,548,965 .
  • Other I/O operations (such as firewall operations, load-balancing operations, network address translation operations, etc.) can be so implemented in some examples of the invention.
  • the ports can implement a chain of I/O operations on incoming and/or outgoing messages in some examples.
  • other modules in the data path such as the VNICs 255, port 265, etc. implement the I/O function call operations instead of, or in conjunction with, the ports 260.
  • one or more of function calls of the SFE ports 260 can be to one or more service engines 130 that process context-based service rules in the context-based service rule storages 140.
  • Each service engine 130 in some examples has its own context-based service rule storage 140, attribute-mapping storage 223, and connection state cache storage 225.
  • Figure 2 presents just one context-based service rule storage 140, attribute-mapping storage 223, and connection state cache storage 225 for all the service engines in order not to obscure the presentation in this figure with unnecessary detail.
  • each VM has its own instance of each service engine 130 (e.g., its own instance of discovery engine 120, process control engine 122, encryption engine 124, load balancer 126, and firewall engine 128).
  • one service engine can service data message flows for multiple VMs on a host (e.g., VMs for the same logical network).
  • a service engine 130 In some examples, tries to match the flow identifier (e.g., the five-tuple identifier) and/or the flow's associated context attribute set to the rule identifiers of its service rules in its context-based service rule storage 140. Specifically, for a service engine 130 to perform its service check operation for a data message flow, the SFE port 260 that calls the service engine supplies a set of attributes of a message that the port receives. In some examples, the set of attributes are message identifiers, such as traditional five-tuple identifiers.
  • one or more of the identifier values can be logical values that are defined for a logical network (e.g., can be IP addresses defined in a logical address space). In other examples, all of the identifier values are defined in the physical domains. In still other examples, some of the identifier values are defined in the logical domain, while other identifier values are defined in the physical domain.
  • the service engine in some examples then uses the received message's attribute set (e.g., the message's five-tuple identifier) to identify the context attribute set that the service engine has stored for this flow in the attribute-mapping storage 223.
  • the context engine 110 in some examples supplies the context attributes for new flows (i.e., new network connection events) and for new processes to the service engines 130, along with a flow identifier (e.g., a five-tuple identifier) or a process identifier.
  • the context-engine policy storage 143 contains the rules that control the operation of the context engine 110.
  • these policies direct the context engine to generate rules for the service engines or to direct the service engines to generate rules (e.g., when a high-threat application runs on a VM, directing the encryption engine for all the other VMs on the same host to encrypt their data message traffic).
  • the service engines 130 in these examples store the context attributes that they receive from the context engine in the attribute-mapping storage 223.
  • a service engine 130 stores the context attribute set for each new flow or new process with that flow's identifier (e.g., five-tuple identifier) or that process' identifier in the attribute-mapping storage. In this manner, the service engine can identify the context attribute set for each new flow that it receives from the SFE ports 260 by searching its attribute-mapping storage 223 for a context record that has a matching flow identifier. The context record with the matching flow identifier includes the context attribute set for this flow. Similarly, to identify the context attribute set for a process event, a service engine in some examples searches its attribute-mapping storage 223 for a context record with a matching process identifier.
  • a service engine in some examples searches its attribute-mapping storage 223 for a context record with a matching process identifier.
  • some or all of the service engines in some examples pull the context attribute sets for a new flow or new process from the context engine. For instance, in some examples, a service engine supplies a new flow's five-tuple identifier that it receives from the SFE port 260, to the context engine 110. This engine 110 then examines its attribute storage 145 to identify a set of attributes that is stored for this five-tuple identifier, and then supplies this attribute set (or a subset of it that it obtains by filtering the identified attribute set for the service engine) to the service engine.
  • some examples implement the pull model by using a service token to encode the attribute set for a new message flow.
  • the context engine 110 in some examples (1) collects the context attribute set for the new event, (2) filters this set to discard the attributes that are not relevant for performing one or more services on the flow, (3) stores the remaining filtering attribute subset in the attribute storage 145 along with a service token, (4) provides the service token to the GI agent 250.
  • the GI agent 250 then causes this token to be passed to the service engine(s) in-band (e.g., in a header of the data message that the agent's VM sends to a destination) or out-of-band (i.e., separately from the data messages that the agent's VM sends to a destination).
  • the service engine When the service engine gets the new flow through the SFE port 260, it supplies this flow's service token to the context engine, which uses this service token to identify in its attribute storage 145 the context attributes to supply to the service engine.
  • the service engine first has to identify the service token by searching its data stores using the flow's identifier before supplying the service token to the context engine.
  • the service engine 130 After identifying the contextual attribute set for a data message flow, the service engine 130 in some examples performs its service operation based on service rules that are stored in the context-based service rule storage 140. To perform its service operation, the service engine 130 matches the received attribute subset with corresponding attribute sets that are stored for the service rules.
  • each service rule in the context-based service rule storage 140 has a rule identifier and an action parameter set.
  • the rule identifier of a service rule in some examples can be defined in terms of one or more contextual attributes that are not L2-L4 header parameters (e.g., are L7 parameters, process identifiers, user identifiers, group identifiers, process name, process hash, loaded module identifiers, consumption parameters, etc.).
  • a rule identifier can also include L2-L4 header parameters.
  • one or more parameters in a rule identifier can be specified in terms of an individual value or a wildcard value.
  • a rule identifier can include a set of individual values or a group identifier, such as a security group identifier, a compute construct identifier, a network construct identifier, etc.
  • the service engine compares the received attribute set with the associated identifiers of the service rules stored in the context-based service rule storage 140.
  • the service engine 130 performs a service operation (e.g., a firewall operation, a load balancing operation, an encryption operation, other middlebox operation, etc.), based on the action parameter set (e.g., based on Allow/Drop parameters, the load balancing criteria, encryption parameters, etc.) of the matching rule.
  • a service operation e.g., a firewall operation, a load balancing operation, an encryption operation, other middlebox operation, etc.
  • the action parameter set e.g., based on Allow/Drop parameters, the load balancing criteria, encryption parameters, etc.
  • the context-based service rule storage 140 is defined in a hierarchical manner to ensure that a message rule check will match a higher priority rule before matching a lower priority rule, when the message's attribute subset matches multiple rules. Also, in some examples, the context-based service rule storage 140 contains a default rule that specifies a default action for any message rule check that cannot identify any other service rules; this default rule will be a match for all possible attribute subsets in some examples, and ensures that the service rule engine will return an action for all received attribute subsets. In some examples, the default rule will specify no service.
  • Multiple messages can have the same message identifier attribute sets, e.g., when the messages are part of one flow that is associated with one communication session between two machines. Accordingly, after matching a data message with a service rule in the context-based service rule storage 140 based on the message's identified context attribute set, the service engine of some examples stores the service rule (or a reference to the service rule) in the connection state cache storage 225, so that it can later use this service rule for subsequent data messages of the same flow.
  • connection state cache storage 225 stores the service rule, or a reference to the service rule, that the service engine 130 identifies for different message identifier sets (e.g., for different five-tuple identifiers that identify different data message flows).
  • the connection state cache storage 225 stores each service rule, or reference to the service rule, with an identifier (e.g., a flow's five-tuple identifier and/or a hash value of the flow's five-tuple identifier) that is generated from the matching message identifier set.
  • the service rule engine 130 Before checking with the context-based service rule storage 140 for a particular message, the service rule engine 130 of some examples checks the connection state cache storage 225 to determine whether this storage has previously identified a service rule for this message's flow. If not, the service engine 130 identifies the contextual attribute set for the message flow, and then checks the context-based service rule storage 140 for a service rule that matches the message's identified attribute set and/or its five-tuple identifier. When the connection state data storage has an entry for the particular message, the service engine performs its service operation based on this service rule's action parameter set.
  • the DPI module 135 performs deep packet inspection on a data message flow at the direction of the firewall engine 128. Specifically, when the firewall engine 128 receives a new data message that is part of a new data message flow, the firewall engine in some examples directs the DPI module to inspect that new data message and one or more of the next few data messages in the same flow. Based on this examination, the DPI engine identifies the type of traffic (i.e., the application on the wire) that is being sent in this data message flow, generates an AppID for this traffic type, and stores this AppID in the attribute storage 145. In some examples, the context attribute sets are stored in the attribute storage based on flow identifiers and/or process identifier. Accordingly, in some examples, the DPI engine 135 stores the AppID for a new data message flow in the attribute storage 145 based on that flow's five-tuple identifier.
  • the type of traffic i.e., the application on the wire
  • the DPI engine 135 stores the AppID for
  • the context engine 110 pushes to the service engines 130 the AppID for a new data message flow once the DPI engine stores the AppID in the attribute storage 145. In other examples, the context engine 110 pulls the AppID from the attribute storage 145 whenever it is queried for the contextual attributes for a data message flow by a service engine. In some examples, the context engine 110 uses the five-tuple identifier of the flow to identify the record in the attribute storage 145 with the matching record identifier and the AppID.
  • Figure 3 illustrates a process 300 that the context engine performs 110 in some examples each time it is notified about a new process or network-connection event.
  • the process 300 From a GI agent 250 of a VM 205, the process 300 initially receives (at 305) a notification regarding a new process or network connection event.
  • the process 300 collects all the desired contextual attributes regarding the notified event.
  • the context engine 110 in some examples interacts (at 310) with the reporting GI agent 250 to collect additional information regarding a reported event.
  • the GI agent in some examples interacts with the network stack and/or process subsystem in the VM's OS kernel space to collect contextual attributes regarding a process or network event.
  • the GI agent in some examples also collects this information from user-space modules (e.g., a user mode dynamic-link library, DLL) that operate in user-space process (e.g., a VMtool.exe) to collect contextual attributes.
  • user-space modules e.g., a user mode dynamic-link library, DLL
  • DLL user mode dynamic-link library
  • the GI agent registers hooks in the Windows Filtering Platform (WFP) to obtain network events, while registering in the Window's Process Subsystem to collect process related attributes.
  • WFP Windows Filtering Platform
  • the GI agent hook is at the Application Layer Enforcement (ALE) layer of WFP, so that it can capture all socket-connection requests from application processes
  • the context engine 110 interacts with the management or control plane to collect contextual attributes, and/or to receive records that it can examine to identify contextual attributes for identified network or process events.
  • the context engine interacts with a management or control plane proxy (that operates on its host) in order to obtain data from the management or control plane servers that operate outside of the host.
  • the context engine operates in the kernel space.
  • the process uses (at 315) the attributes of the received event or the contextual attributes collected for the received event to identify one or more policies in the context-engine policy storage 143.
  • the process identifies any policy that has a policy identifier that matches the collected attributes and event attributes.
  • the process produces context-attribute mapping records for one or more service engines based on the policies identified at 315.
  • One or more of the identified policies might specify that for a particular process or network event, a particular set of service engines need to be notified about the event (e.g., about a new data message flow), with each service engine receiving a subset of contextual attributes that are relevant for that service engine to perform its processing for that event.
  • This operation in some examples involves the context engine not including attributes that are not relevant for each particular service engine in the subset of contextual attributes that it provides to that particular service engine.
  • certain events might necessitate new service rules to be created for one or more service engines.
  • a policy might specify that other VMs on that host might have to start to encrypt their data message traffic.
  • the context-engine policy storage 143 includes policies that direct the context engine to generate service rules for service engines under certain circumstances, or to direct the service engines to generate such service rules.
  • the process (at 320) if needed, generates service rules for service engines under certain circumstances, or directs the service engines to generate such service rules
  • the process 300 distributes the mapping records and/or generated service rules/instructions to one or more service engines.
  • the context engine can employ a push model or a pull model to distribute such records and/or rules/instructions.
  • the process 300 in some examples not only performs the operation 325 in response to a query from a service engine, but also performs some or all of the operation 320 in response to this query. After 325, the process ends.
  • the load balancing engine 126 is a context-based load balancer that performs its load balancing operations based on load-balancing rules that can be specified in terms of not only L2-L4 parameters, but also in terms of contextual attributes.
  • Figure 4 illustrates an example of such context-based load balancing rules. These rules are used independently by different load balancing engines 126 on different hosts 500 to distribute data messages from different webserver VMs 505 on these hosts to different application server VMs 510, as shown in Figure 5 .
  • the hosts 500 are similar to the host 200, and the webserver VMs 505 and the application server VMs 510 are similar to the VMs 205 of Figure 2 .
  • hosts 500 that are shown in Figure 5 are the load balancers 126 and the webserver VMs 505, with the load balancers appearing as service modules in the egress path of the webservers VMs 505.
  • the load balancers 126 collectively form a distributed load balancer (i.e., a single, conceptual logical load balancer) that spans across the multiple hosts to distribute webserver VM traffic uniformly across the application server VMs.
  • the load balancing criteria of the load-balancing rules for the different load balancers 126 in some examples is the same to ensure uniform treatment of the webserver VM traffic.
  • host 500b multiple webserver VMs 505 can execute on the same host 500, with each of these webserver VMs being serviced by a different load balancer 126.
  • one load balancer can service multiple VMs on the same host (e.g., multiple VMs for the same tenant on the same host). Also, in some examples, multiple application server VMs can execute on the same host with each other and/or with the webserver VMs.
  • the load balancers 126 perform a destination network address translation (DNAT) that transforms a virtual IP (VIP) address for the application servers to a specific application VM's IP address, called a destination IP address or a DIP.
  • DNAT destination network address translation
  • the DNAT operation can translate other network addresses, e.g., it can translate the MAC address to effectuate a MAC-redirect.
  • the load balancers in Figures 4-5 distribute webserver traffic among the application servers of an application server group (cluster), the load balancers can be used to distribute traffic from any set of one or more service or compute nodes among the service or compute nodes of any service/compute node cluster.
  • FIG. 4 illustrates a load-balancing (LB) rule storage 140 that stores several LB rules, with each LB rule associated with one load-balanced compute or service cluster.
  • Each load-balance rule includes (1) a rule identifier 405, (2) several IP addresses 410 of several nodes of the load-balanced node group, and (3) a weight value 415 for each IP address.
  • Each rule identifier 405 specifies one or more data tuples that can be used to identify a rule that matches a data message flow.
  • a rule identifier can include a VIP address (such as the VIP address of the application server group in Figure 5 ) of the rule's associated DCN group.
  • the rule identifier can include in some examples any L2-L4 parameters (e.g., source IP address, source port, destination port, protocol, etc.).
  • the rule identifier for a LB rule can include contextual attributes, such as AppID, application name, application version, user ID, group ID, threat level, resource consumption, etc.
  • a load balancer searches a LB data storage by comparing one or more message attributes (e.g., five-tuple header values, contextual attributes) with the rule identifiers 405 to identify the highest priority rule with a matching rule identifier.
  • message attributes e.g., five-tuple header values, contextual attributes
  • Each LB rule's IP addresses 410 are the IP addresses of the compute or service node that are members of the load-balanced compute or service group that is associated with the rule (e.g., of the load-balanced group that is associated with a VIP address specified in the rule's identifier 405). As further described below, the addresses of these nodes are supplied in some examples by a controller set that configures the load balancers. In some examples, the load balancer translates the destination IP address of a received data message to one of the IP addresses 410 (e.g., translates a VIP contained in the data message to a DIP).
  • a load balancer performs its load-balancing operation based on one or more load-balancing criteria.
  • the LB rules of some examples contain such LB criteria, in order to specify within each rule how the load balancer should spread the traffic across the nodes of a load-balanced group when a message flow matches that rule.
  • the load-balancing criteria is a weighted round robin scheme that is defined by the weight values 415 of each rule. Specifically, the weight values 415 for each IP address of each LB rule provides the criteria for a load balancer to spread the traffic to the nodes of a LB node group.
  • the application server group of Figure 5 has five application servers. Assume that the load-balancing rule for distributing the webserver traffic amongst these five application servers specifies the weight values of 1, 3, 1, 3, and 2 for the five IP addresses of the five application servers. Based on these values, a load balancer would distribute data messages that are part of ten new flows in the following order: first flow to the first IP address, second to fourth flow to the second IP address, fifth flow to the third IP address, sixth to eighth flow to the fourth IP address, and ninth and tenth flow to the fifth IP address. According to this scheme, the assignment of the next batch of new flows loops back through these IP addresses (e.g., the eleventh flow would be assigned to the first IP address and so on).
  • the weight values for an LB rule are generated and adjusted by the controller set based on the LB statistics that the load balancers (1) collect regarding the data message flows that they distribute amongst the nodes of the LB node group(s) and (2) provide to controller set.
  • the LB rules in some examples specify time periods for different load-balancing criteria of a LB rule that are valid for different periods of time. Accordingly, in some examples, a load-balancing rule might specify multiple different sets of destination network addresses with different temporal values that specify when each set of addresses is valid. Each of these sets in some examples can include its own set of LB criteria (e.g., its own set of weight values).
  • Figure 6 illustrates a process 600 that the load balancer 126 performs in some examples.
  • the process 600 starts when the load balancer receives (at 605) a data message from its corresponding SFE port 260.
  • This port relays this message when it receives the data message from its VM or for its VM.
  • the port relays the data message by passing to the load balancer a reference (e.g., a handle that identifies a location in memory that stores the data message) to the data message or the data message's header values.
  • a reference e.g., a handle that identifies a location in memory that stores the data message
  • the process determines (at 610) whether the connection state cache 225 stores a record that identifies the destination to which the data message should be forwarded.
  • the load balancer in some examples creates a record in the connection state cache 225 to store the physical IP address of the selected node, so that when the load balancer receives another data message within the same flow (i.e., with the same five-tuple identifier), it can forward it to the same node that it used for previous data messages in the same flow.
  • the use of the connection state cache 225 allows the load balancer 126 to process the data message flows more quickly.
  • each cached record in the connection state cache 225 has a record identifier that is defined in terms of data message identifiers (e.g., five-tuple identifiers).
  • the process compares the received data message's identifier (e.g., five-tuple identifier) with the record identifiers of the cached records to identify any record with a record identifier that matches the received data message's identifier.
  • the process 600 When the process 600 identifies (at 610) a record for the received data message's flow in the connection state cache 225, the process (at 615) then replaces the message's destination address (e.g., the VIP address) with the destination address (e.g., the DIP) that is stored in the record in the connection state cache 225.
  • the process sends the address-translated data message along its datapath. In some examples, this operation entails returning a communication to the SFE port 260 (that called the load balancer to initiate the process 600) to indicate that the load balancer is done with its processing of the VM data message.
  • the SFE port 260 can then handoff the data message to the SFE, or can call another service engine in the I/O chain operator to perform another service operation on the data message.
  • the process 600 also updates in some examples the statistics that it maintains regarding its data message flow processing. After 615, the process 600 ends.
  • the process 600 determines (at 610) that the connection state cache 225 does not store a record for the received data message's flow, the process 600 identifies (at 620) one or more contextual attributes for this data message flow.
  • the service engines of different examples perform this operation differently. For instance, in some examples, the load balancer 126 checks the attribute-mapping storage 223 for a record that has a record identifier that matches the received data message's header values (e.g., its five-tuple identifier). It then uses (at 620) the contextual attribute set of this matching record as the contextual attribute set of the received data message flow.
  • the load balancer 126 queries the context engine to obtain the contextual attribute set for the received data message. With this query, the load balancer supplies the received message's flow identifier (e.g., five-tuple identifier) or its associated service token. The context engine then uses the message's flow identifier or its associated service token to identify a set of contextual attributes in its context attribute storage 145, and it then provides the identified set of contextual attributes to the load balancer 126, as explained above.
  • the load balancer 126 queries the context engine to obtain the contextual attribute set for the received data message. With this query, the load balancer supplies the received message's flow identifier (e.g., five-tuple identifier) or its associated service token. The context engine then uses the message's flow identifier or its associated service token to identify a set of contextual attributes in its context attribute storage 145, and it then provides the identified set of contextual attributes to the load balancer 126, as explained above.
  • the context engine uses the message's flow identifier or its associated service
  • the process 600 uses this attribute set along with the message's other identifiers to identify (at 625) an LB rule in the LB rule storage 140 for the data message received at 605.
  • the LB rules have rule identifiers 405 that are defined in terms of one or more of the five-tuple attributes along with one or more contextual attributes, such as application name, application version, user ID, group ID, AppID, threat level, resource consumption level, etc.
  • the process in some examples compares the contextual attributes and/or other attributes (e.g., five-tuple identifier) of the received data message with the rule identifiers (e.g., rule identifiers 405) of the LB rules to identify the highest priority rule that has an identifier that matches the message's attribute set.
  • the rule identifiers e.g., rule identifiers 405
  • the process uses different message-attribute sets to perform this comparison operation.
  • the message attribute set includes the destination IP address of the message (e.g., the VIP of the addressed node group) along with one or more contextual attributes
  • the message attribute set includes other attributes, such as one or more of the other five-tuple identifiers (e.g., one or more of the source IP, source port, destination port, and protocol).
  • the message attribute set includes logical network identifiers such as virtual network identifier (VNI), virtual distributed router identifier (VDRI), a logical MAC address, a logical IP address, etc.
  • each LB rule in some examples includes two or more destination addresses (e.g., IP addresses 410), which are the destination addresses (e.g., IP addresses) of the nodes that are members of the load-balanced node group.
  • the process identifies an LB rule (at 630), it selects one of the destination addresses (e.g., IP addresses) of the rule to replace the virtual address (e.g., the VIP address) in the message.
  • each LB rule in some examples stores a set of load-balancing criteria for facilitating the process' selection of one of the destination addresses of the LB rule to replace the message's virtual destination identifier.
  • the stored criteria are the weight and/or times values that were described above by reference to Figures 4 and 5 . Accordingly, in some examples, the process 600 selects one of the matching rule's destination addresses based on the selection criteria stored in the rule, and changes the message's destination address to the selected destination address.
  • the process sends the data message along its datapath.
  • this operation entails returning a communication to the SFE port 260 (that called the load balancer to initiate the process 600) to indicate that the load balancer is done with its processing of the VM data message.
  • the SFE port 260 can then handoff the data message to the SFE or the VM, or can call another service engine in the I/O chain operator to perform another service operation on the data message.
  • the process transitions to 635, where in the connection state cache storage 225, it creates a record to identify the compute or service node in the load-balanced group (i.e., to identify the node destination identifier) to use to forward data messages that are part of the same flow as the data message received at 605.
  • the process 600 also updates the statistics that it maintains for the node to which the message was addressed by the process 600. This update reflects the transmission of a new data message to this node.
  • the process ends.
  • the context-based load balancer 126 can distribute the data message flows based on any number of contextual attributes.
  • load-balancing operations include: (1) distributing data message flows associated with the Finance department on all load-balancing pools, (2) redirecting all the Finance department's traffic to another pool when the primary pool for this department is down to make this department's traffic highly available, (3) making all traffic associated with the Doctor's user group highly available, and (4) distributing data message flows for Finance applications amongst the service nodes of a low-latency service node group.
  • the load-balancing rules can also be defined in terms of collected resource consumption, in order to distribute traffic to provide more or less resources to applications that consume a lot of resources on the DCNs.
  • the management plane obtains an inventory of all processes and services that are running on the VMs on the hosts in a datacenter.
  • the discovery engine 120 of a host 200 in some examples assists in collecting this data from the VMs executing on its host.
  • the inventoried process/services are referred to as the inventoried applications, which include all client processes, services or daemons that utilize network input/output and all server processes that have registered to listen to (i.e., to obtain messages) certain network connections.
  • the discovery engine collects this data using the GI agents 250 and the MUX 227 in some examples.
  • the management servers e.g., the network managers and/or compute managers
  • each application is identified by comparing its file hash obtained from the VMs 205 with hashes of application files stored in the application data storage of the management plane.
  • the management plane in some examples has the discovery engines update their data collection so that the management plane can refresh its inventory on a scheduled basis.
  • the management plane in some examples then provides a rule creation interface for allowing administrators to create context-based LB rules and/or policies for the LB engines 126 (as well as service rules for the other service engines 130).
  • the rule creation interface allows the administrators to define high-level LB policies (and other service policies) based on applications inventoried through the data collected by the discovery engines 120, and contextual attributes collected by the context engines 110 and by the management plane's interface with other management server clusters.
  • the management plane directly supplies some or all of these policies to the management proxies (not shown) on the hosts 200, and/or indirectly supplies some or all of these policies to these proxies through a set of controllers (e.g., network controllers).
  • the management proxies publish the received policies as rules to the context-based service rule storages 140.
  • the proxies transform these policies before publishing them to the context-based service rule storages 140. For instance, in some examples, the policies are published with AppliedTo tuples that identify the service nodes and/or logical networks to which they are associated.
  • the management proxies on the hosts remove the AppliedTo tuple from each service policy, before pushing the policy as a service rule to the service rule storage 140.
  • the context engines 110 on the hosts 200 in some examples resolve the policies based on collected contextual attributes, in order to generate rules for the service engines.
  • the firewall engine 128 is a context-based firewall engine that performs its firewall operations based on firewall rules that can be specified in terms of not only L2-L4 parameters, but also in terms of contextual attributes.
  • Figure 7 illustrates several examples of such firewall rules. This figure illustrates a firewall rule data store 140 of some examples. As shown, each firewall rule includes a rule identifier 705 and a firewall action parameter 710.
  • a firewall action parameter 710 can specify any one of the traditional firewall actions, such as Allow, Drop, Re-Route, etc.
  • Each rule identifier 705 specifies one or more data tuples that can be used to identify a rule that matches a data message flow.
  • a rule identifier can include in some examples any L2-L4 parameters (e.g., source IP address, source port, destination port, protocol, etc.).
  • L2-L4 parameters e.g., source IP address, source port, destination port, protocol, etc.
  • One or more of these parameters can be virtual parameters (e.g., a VIP of a destination cluster) or a logical identifier (e.g., a logical network identifier).
  • a rule identifier can also include contextual attributes, such as AppID, application name, application version, user ID, group ID, threat level, and resource consumption.
  • a firewall engine searches a firewall data storage by comparing one or more message attributes (e.g., five-tuple header values, contextual attributes) with the rule identifiers 705 to identify the highest priority rule with a matching rule identifier.
  • different firewall engines 128 on different hosts enforce the same set of firewall rules. For instance, in some examples, different firewall engines 128 process the same firewall rules on different hosts for VMs of one logical network in order to provide a level of security on data messages that are transmitted by or received for these VMs. For this logical network, these firewall engines 128 collectively form a distributed firewall engine (i.e., a single, conceptual logical firewall engine) that spans across the multiple hosts.
  • a distributed firewall engine i.e., a single, conceptual logical firewall engine
  • Figure 8 illustrates several more detailed examples of the context-based firewall rules of some examples.
  • the rule identifier 705 of each rule is expressed in terms of the five-tuple identifier and one or more contextual attributes.
  • Each rule has one or more attributes in its five-tuple identifier that are wildcard values designated by an asterisk in order to specify that the value of these attributes do not matter (i.e., the data message flow can have any value for these attributes without failing to match the rule).
  • the first rule 835 specifies that all data message flows from Skype version 1024 should be dropped.
  • the rule identifier for this rule is expressed only in terms of the contextual attributes of the data message flow.
  • each time the firewall engine 128 identifies a new data message flow it identifies the flow's contextual attributes by interacting with the context engine or by examining the records in its attribute-mapping storage 223 to identify a record that specifies the contextual attributes for the flow's five-tuple identifier.
  • the second rule 830 specifies that all data message flows that have a Group ID equal to Nurses and AppID equal to YouTube traffic are to be dropped. By enforcing this rule, the firewall engine 128 can make sure that nurses that login to its VM 205 cannot view YouTube traffic.
  • the rule identifier for this rule is expressed only in terms of the contextual attributes of the data message flow. In this example, the contextual attributes are the Group ID and the AppID.
  • Figure 9 presents an example that illustrates the enforcement of the second rule 830 by the firewall engine 128. Specifically, it shows this firewall engine 128 allowing a first data message 905 from a browser 910 to pass through, while blocking a second data message 915 from this browser. As shown, both these data messages are associated with an operation that a nurse 920 has performed on the browser. The first data message flow is allowed to pass through as it relates to an email that the nurse is sending through the browser. This firewall engine 128 allows this message to go through because it does not match any firewall rule that requires the message to be blocked. The firewall engine 128, on the other hand, blocks the second data message as it relates to the nurse trying to watch a YouTube video, and this type of data message flow is prohibited by rule 830.
  • the third rule 825 in Figure 8 specifies that all data message flows that are associated with a high threat level indicator should be blocked if they are going to a particular destination IP address A.
  • the rule identifier for this rule is defined in terms of a contextual attribute (i.e., the high threat level indicator) and one attribute (the destination IP address) in the five-tuple identifier of the data message.
  • Figure 10 presents an example that in two stages illustrates the enforcement of this rule 825 by the firewall engine 128. Specifically, it shows in a first stage 1002 the firewall engine 128 allows data messages 1010 to pass from a VM 205 to another VM 1020 (outside of the host) that has the particular destination IP address A. In the second stage 1004, an application 1005 is installed on the VM 205. This application is designated as a high threat application by the threat detector 132. Whenever a new data message flow starts on the VM, the context engine associates this data message flow with a high threat level tag.
  • the firewall engine 128 blocks a data message 1050 from the VM 205 to the other VM 1020 as this data message is associated with the high threat level, and the rule 815 prohibits such a data message to be sent to IP address A of the VM 1020.
  • the fourth and fifth rules 820 and 815 in Figure 8 specify that data messages associated with the Doctor and Nurses groups can access VMs associated with a VIP address A, while data messages associated with the Accountant group cannot access these VMs.
  • the rule identifier for the fourth rule is defined in terms of two contextual attributes (i.e., Doctor and Nurse group identifiers) and one attribute (the VIP destination address A) in the five-tuple identifier of the data message.
  • the rule identifier for the fifth rule is defined in terms of one contextual attribute (i.e., Accountant group identifier) and one attribute (the VIP destination address A) in the five-tuple identifier of the data message.
  • the VIP address is an address of a cluster of VMs that perform the same function, and a load balancer will translate this VIP address to the IP address of one of the VMs in the cluster.
  • Figure 11 presents an example that illustrates the enforcement of the fourth and fifth rules 820 and 815 by the firewall engine 128. Specifically, it shows two users concurrently logged into one VM that is acting as a terminal server. One of these users is a Nurse X, while another user is an accountant Y. Figure 11 further shows that the firewall engine 128 allows a first data message 1105 from the Nurse X's session to pass through to a VM in a VM cluster 1150 identified by the destination IP address VIP A. It also shows the firewall engine blocking a second data message 1110 from the Accountant Y's session from reaching any of the VMs in this VM cluster, because the fifth rule 815 prevents data messages that are associated with the Accountants Group ID to reach the destination IP address VIP A.
  • the two data messages are for two different actual users who are concurrently logged into a VM.
  • administrative processes might be running on the VM in conjunction with the processes that run for the applications started by the logged in user.
  • the administrative processes can be services/daemons running in a VM in a different user context than the logged in user. Services generally run in admin/root context and not in the logged in user context. This is a potential security hole as it might allow any application running in a non-logged on user context to access a network resource. Accordingly, even when only a single user is logged into a VM, it can be desirable to specify firewall rules that treat differently the data messages associated with background administrative processes from data messages associated with processes that run for the applications started by the logged in user.
  • the sixth rule 810 allows data messages of processes associated with the applications operated by an individual in the High Security Group to access other VMs with sensitive data (in this example, these VMs are part of a cluster of VMs associated with an IP address VIP B), while the seventh rule 805 blocks data messages associated with background administrative processes from accessing such VMs. This is useful for ensuring that IT personnel or hackers cannot create a back door to access sensitive data by installing administrative processes that access high security VMs that piggyback off the login session of a user with the appropriate clearance.
  • Figure 12 presents an example that illustrates the enforcement of the sixth and seventh rules 810 and 805 by the firewall engine 128. Specifically, it shows two data message flows concurrently emanating from one VM. One data message flow is associated with the CEO, while another is associated with a background IT utility process called Utility Q. Figure 12 further shows that the firewall engine 128 allows a data message 1205 from the CEO's session to pass through to a VM in a high security cluster 1250 identified by the VIP address B. It also shows the firewall engine blocking a second data message 1210 from the Utility Q's session from reaching any of the VMs in the high security cluster, because the seventh rule 805 prevents data messages that are associated with administrative processes (such as the Utility Q process) from reaching the VIP address B.
  • administrative processes such as the Utility Q process
  • the firewall engine can differentiate the data message flows for two different processes that run concurrently on a VM for two different login/administrative credentials because the context engine collects the user and group identifiers for each data message flow when each flow starts, and associates each flow with its user and group identifiers.
  • Figure 13 illustrates a process 1300 that the context engine performs to collect the user and group identifiers each time it receives a new network connection event from a GI agent.
  • the process 1300 initially receives (at 1305) a notification of a new network connection event from a GI agent 250 on a VM 205.
  • the GI agent in some examples provides the following information in a new network connection notification: the connection's five-tuple identifier, the identifier of the process requesting the network connection, a user identifier associated with the requesting process, and a group identifier associated with the requesting process.
  • the process 1300 queries the GI agent to collect any other contextual attributes needed for the new network connection event. Examples of such additional parameters include additional parameters associated with the process requesting the network connection.
  • the process 1300 then publishes one or more context attribute records to one or more service engines.
  • each context attribute record to each service engine includes the connection's five-tuple identifier and a set of one or more context attributes, including the user identifier and/or the group identifier.
  • the service engines then store the provided contextual attribute records in their attribute-mapping storages 223, so that they can use these records to identify the context attribute sets associated with different data message flows that they process.
  • the context attribute sets include a user identifier or a group identifier to allow these service engines to associate different data message flows from the VM to different user/group identifiers.
  • the context engine does not include in a service engine's context attribute record the contextual attributes that are not needed by the service engine. Also, in some examples, the context engine provides different context attribute records to different context engines for the same network connection event, because different service engines need different sets of context attributes. As described above, the context engine 110 in some examples does not push the context attribute sets for new network connections to some or all of the service engines, but rather has these service engines pull these attribute sets.
  • the context engine can associate a data message flow on a source host with the source VM (i.e., the VM that is the source of the data message flow) with a contextual attribute of a destination VM on the same host or a different destination host.
  • the firewall engine 128 in these examples can then use such destination-based contextual attributes to resolve firewall rules. For instance, the firewall engine can drop all data messages addressed to a particular type of server (e.g., a Sharepoint server).
  • the context engines of some examples directs the GI agents to identify the processes that register for notifications on particular ports, and uses this information along with process identifiers and hashes to identify the applications that serve as destinations of data message flows.
  • the information collected by the context engines on the different hosts are collected by the management plane (e.g., by management servers that operate on separate computers or on the same hosts that execute the VMs), which aggregates this data and distributes the aggregated data to the other context engines.
  • the distributed information can then be used by the context engines on the host to resolve contextual policies on these hosts, in order to supply context-based rules to the context-based service engines on these hosts.
  • Figure 14 illustrates a process 1400 that the firewall engine 128 performs in some examples.
  • the process 1400 starts when the firewall engine receives (at 1405) a data message from its corresponding SFE port 260.
  • This port relays this message when it receives the data message from its VM or for its VM.
  • the port relays the data message by passing to the firewall engine a reference (e.g., a handle that identifies a location in memory that stores the data message) to the data message or the data message's header values.
  • a reference e.g., a handle that identifies a location in memory that stores the data message
  • the process determines (at 1410) whether the connection state cache 225 stores a record that identifies a firewall action for the message flow of the received data message.
  • the firewall engine in some examples creates a record in the connection state cache 225 to store the firewall action performed, so that when the firewall engine receives another data message within the same flow (i.e., with the same five-tuple identifier), it can perform the same firewall action that it performed on previous data messages in the same flow.
  • the use of the connection state cache 225 allows the firewall engine 128 to process the data message flows more quickly.
  • each cached record in the connection state cache 225 has a record identifier that is defined in terms of data message identifiers (e.g., five-tuple identifiers).
  • the process compares the received data message's identifier (e.g., five-tuple identifier) with the record identifiers of the cached records to identify any record with a record identifier that matches the received data message's identifier.
  • the process 1400 When the process 1400 identifies (at 1410) a record for the received data message's flow in the connection state cache 225, the process (at 1415) then performs the firewall action (e.g., Allow, Drop, Re-Route, etc.) specified in this record. Assuming that the firewall action does not require the data message to be dropped, the process 1400 sends the processed data message along its datapath. In some examples, this operation entails returning a communication to the SFE port 260 (that called the firewall engine to initiate the process 1400) to indicate that the firewall engine is done with its processing of the VM data message. The SFE port 260 can then handoff the data message to the SFE or the VM, or can call another service engine in the I/O chain operator to perform another service operation on the data message.
  • the firewall action e.g., Allow, Drop, Re-Route, etc.
  • the process 1400 When the firewall action performed at 1415 results in the dropping of the data message, the process 1400 notifies (at 1415) the SFE port 260 of this operation. Also, when the firewall action performed at 1415 requires the data message to be re-routed, the process 1400 performs (at 1415) a network address translation on the data message in order to effectuate this re-routing, and then returns (at 1415) the data message to the SFE port so that the data message can be sent along its datapath. After 1415, the process 1400 ends.
  • the process 1400 determines (at 1410) that the connection state cache 225 does not store a record for the received data message's flow
  • the process 1400 identifies (at 1420) one or more contextual attributes for this data message flow.
  • the service engines of different examples perform this operation differently. For instance, in some examples, the firewall engine 128 checks the attribute-mapping storage 223 for a record that has a record identifier that matches the received data message's header values (e.g., its five-tuple identifier). It then uses (at 1420) the contextual attribute set of this matching record as the contextual attribute set of the received data message flow.
  • the firewall engine 128 queries the context engine to obtain the contextual attribute set for the received data message. With this query, the firewall engine supplies the received message's flow identifier (e.g., five-tuple identifier) or its associated service token. The context engine then uses the message's flow identifier or its associated service token to identify a set of contextual attributes in its context attribute storage 145, as explained above.
  • the firewall engine supplies the received message's flow identifier (e.g., five-tuple identifier) or its associated service token.
  • the context engine uses the message's flow identifier or its associated service token to identify a set of contextual attributes in its context attribute storage 145, as explained above.
  • the process 1400 uses this attribute set along with the message's other identifiers to identify (at 1425) a firewall rule in the firewall rule data store 140 for the data message received at 1405.
  • the firewall rules have rule identifiers 705 that are defined in terms of one or more of the five-tuple attributes along with one or more contextual attributes, such as application name, application version, user ID, group ID, AppID, threat level, resource consumption level, etc.
  • the process in some examples compares the contextual attributes and/or other attributes (e.g., five-tuple identifier) of the received data message with the rule identifiers (e.g., rule identifiers 705) of the firewall rules to identify the highest priority rule that has an identifier that matches the message's attribute set.
  • the rule identifiers e.g., rule identifiers 705
  • the process uses different message-attribute sets to perform this comparison operation.
  • the message attribute set includes one or more of the other five-tuple identifiers (e.g., one or more of the source IP, source port, destination port, and protocol) along with one or more contextual attributes.
  • the message attribute set includes logical network identifiers such as virtual network identifier (VNI), virtual distributed router identifier (VDRI), a logical MAC address, a logical IP address, etc.
  • the process After the process identifies a firewall rule (at 1425), it performs (at 1430) the firewall action (e.g., Allow, Drop, Re-Route, etc.) of this rule on the received data message. Assuming that the firewall action does not require the data message to be dropped, the process 1400 sends (at 1430) the processed data message along its datapath. In some examples, this operation entails returning a communication to the SFE port 260 (that called the firewall engine to initiate the process 1400) to indicate that the firewall engine is done with its processing of the VM data message. The SFE port 260 can then handoff the data message to the SFE or the VM, or can call another service engine in the I/O chain operator to perform another service operation on the data message.
  • the firewall action e.g., Allow, Drop, Re-Route, etc.
  • the process 1400 When the firewall action performed at 1430 results in the dropping of the data message, the process 1400 notifies (at 1430) the SFE port 260 of this operation. Also, when the firewall action performed at 1430 requires the data message to be re-routed, the process 1400 performs (at 1430) a network address translation on the data message in order to effectuate this re-routing, and then returns (at 1430) the data message to the SFE port so that the data message can be sent along its datapath.
  • the process After performing the firewall action at 1430, the process creates (at 1435) a record in the connection state cache storage 225.
  • This record identifies the firewall action for the received data message's flow. In some examples, this record has a record identifier that is defined by reference to the data message flow's identifier (e.g., its five tuple identifier).
  • the management servers in some examples interact with the discovery engines 120 executing on the hosts 200 in a data center to obtain and refresh inventory of all processes and services that are running on the VMs on the hosts.
  • the management servers also referred to above and below as the management plane
  • the management servers provides a rule creation interface for allowing administrators to create context-based firewall rules and/or policies for the firewall engines 128 (as well as service rules for the other service engines 130).
  • the rule creation interface allows the administrators to define high-level firewall policies (and other service policies) based on applications inventoried through the data collected by the discovery engines 120, and contextual attributes collected by the context engines 110 and by the management plane's interface with other management server clusters.
  • the management plane directly supplies some or all of these policies to the management proxies (not shown) on the hosts 200, and/or indirectly supplies some or all of these policies to these proxies through a set of controllers (e.g., network controllers).
  • the management proxies publish the received policies as rules to the context-based service rule storages 140.
  • the proxies transform these policies before publishing them to the context-based service rule storages 140. For instance, in some examples, the policies are published with AppliedTo tuples that identify the service nodes and/or logical networks to which they are associated.
  • the management proxies on the hosts remove the AppliedTo tuple from each service policy, before pushing the policy as a service rule to the service rule storage 140.
  • the context engines 110 on the hosts 200 in some examples resolve the policies based on collected contextual attributes, in order to generate rules for the service engines.
  • the encryption engine 124 is a context-based encryptor that performs its encryption/decryption operations based on encryption rules that can be specified in terms of not only L2-L4 parameters, but also in terms of contextual attributes.
  • Figure 15 illustrates an example of such context-based encryption rules. These rules are used independently by different encryption engines 124 on different hosts 200 to encrypt/decrypt data messages sent by and received for the VMs 205 on these hosts.
  • the encryption engines 124 that enforce the same encryption rules on the different hosts collectively form a distributed encryption engine (i.e., a single, conceptual logical encryption engine) that spans across the multiple hosts to uniformly perform a desired set of encryption and decryption operations.
  • each VM 205 has its own encryption engine, while in other examples, one encryption engine 124 can service multiple VMs 205 on the same host (e.g., multiple VMs for the same tenant on the same host).
  • Figure 15 illustrates an encryption rule data store 140 that stores several encryption rules.
  • Each encryption rule includes (1) a rule identifier 1505, (2) an encryption type identifier 1510, and (3) a key identifier 1515.
  • Each rule identifier 1505 specifies one or more data tuples that can be used to identify a rule that matches a data message flow.
  • a rule identifier can include any L2-L4 parameters (e.g., source IP address, source port, destination port, destination IP, protocol, etc.). These L2-L4 parameters in some examples can be defined in the physical domain or logical domain.
  • the rule identifier can include contextual attributes, such as AppID, application name, application version, user ID, group ID, threat level, and resource consumption.
  • an encryptor 124 searches an encryption rule data store 140 by comparing one or more message attributes (e.g., five-tuple header values, contextual attributes) with the rule identifiers 1505 to identify the highest priority rule with a matching rule identifier.
  • the encryption rule data store 140 has a default rule that is used when no other rule matches a data message flow.
  • the default rule specifies no encryption key as no rule exists for encrypting the data message flow.
  • the encryptor 124 when the default rule is returned to the encryptor 124, the encryptor 124 does not encrypt the data message flow for which it is performing the check.
  • the encryption type 1510 of each encryption rule specifies the type of encryption/decryption to use, while the key identifier 1515 of each rule identifies the key to use for the encryption/decryption.
  • the encryption rules only specify the key identifiers 1515 and do not specify the encryption types 1510, because the key identifiers identify both the key and the type of encryption/decryption or these types are otherwise specified (e.g., preconfigured) in the encryptor.
  • the encryption and decryption operations of the encryption engine 124 will now be described by reference to Figures 16-18 .
  • the encryption and decryption operations use the same key or transposed versions of the same key, because these examples use a symmetric encryption scheme in which the same key is used to encrypt and decrypt the message, or transposed versions of the same key are used to encrypt and decrypt the message.
  • Other examples use asymmetric encryption schemes (e.g., source encryptor using its private key, and the destination encryptor using the public key of the source encryptor).
  • FIG 16 illustrates a process 1600 that the encryptor 124 performs to encrypt a data message sent by a VM 205 on the host 200.
  • the process 1600 starts when the encryptor 124 receives (at 1605) a data message from its corresponding SFE port 260. This port relays this message when it receives the data message from its VM.
  • the port relays the data message by passing to the encryptor a reference (e.g., a handle that identifies a location in memory that stores the data message) to the data message or the data message's header values.
  • a reference e.g., a handle that identifies a location in memory that stores the data message
  • the encryptor determines whether its connection state cache 225 stores a cached encryption record for the received data message. In some examples, each time an encryptor finds an encryption rule for a VM data message in some examples, it creates a cached encryption record that stores the encryption rule, a reference to the encryption rule, the encryption key, and/or the encryption key's identifier in the connection state cache 225.
  • each cached record in the connection state cache 225 has a record identifier that is defined in terms of data message identifiers (e.g., five-tuple identifiers).
  • the process 1600 compares the received data message's identifier (e.g., five-tuple identifier) with the record identifiers of the cached records to identify any record with a record identifier that matches the received data message's identifier.
  • the process 1600 identifies (at 1610) a cached encryption record for the received data message in the connection state cache 225, the process (at 1615) then uses the key identified by the identified encryption records to encrypt the received data message.
  • the process 1600 retrieves a key identifier from the stored or referenced rule and uses this identifier to retrieve a key from a key data store that is stored on the host 200 or from a key manager on the host or operating outside of the host.
  • the process 1600 retrieves a key identifier from the cached record and uses this identifier to retrieve a key from the local or remote key data store or key manager.
  • the process encrypts (at 1615) the data message's payload (e.g., the L2 payload) by using the identified encryption key, while generating an integrity check value (ICV) hash of the payload and some or all of the header values (e.g., the physical L3 and L4 header values and/or logical L2 or L3 header values), so that the message's destination would have (1) to decrypt the encrypted portion of the data message, and (2) to verify the authenticity and integrity of the payload and header values that were used for the ICV calculation.
  • ICV integrity check value
  • the encryption process 1600 in some examples also encrypts (at 1615) a portion of the data message header.
  • some examples encrypt all of the physical header values of the data message. Some of these examples perform ICV operation on the logical network identifier (e.g., the VNI) and the payload so that the decryptor at the destination host can verify the authenticity and integrity of the encrypted data message.
  • the logical network identifier e.g., the VNI
  • the process sends the encrypted data message along its datapath.
  • this operation entails returning a communication to the SFE port 260 (that called the encryptor to initiate the process 1600) to let the port know that the encryptor is done with its processing of the data message.
  • the SFE port 260 can then handoff the data message to the SFE 210 or can call another I/O chain operator to perform another operation on the data message.
  • the process 1600 ends.
  • the process 1600 determines (at 1610) that the connection state cache 225 does not store any cached record that matches the received data message
  • the process 1600 identifies (at 1620) one or more contextual attributes for this data message flow.
  • the service engines of different examples perform this operation differently. For instance, in some examples, the encryption engine 124 checks the attribute-mapping storage 223 for a record that has a record identifier that matches the received data message's header values (e.g., its five-tuple identifier). It then uses (at 1620) the contextual attribute set of this matching record as the contextual attribute set of the received data message flow.
  • the encryption engine 124 queries the context engine 110 to obtain the contextual attribute set for the received data message. With this query, the encryption engine supplies the received message's flow identifier (e.g., five-tuple identifier) or its associated service token, which the context engine then uses to identify a set of contextual attributes in its context attribute storage 145, as explained above.
  • the encryption engine supplies the received message's flow identifier (e.g., five-tuple identifier) or its associated service token, which the context engine then uses to identify a set of contextual attributes in its context attribute storage 145, as explained above.
  • the process 600 uses this attribute set by itself or along with the message's other identifiers (e.g., five-tuple identifiers) to identify (at 1625) an encryption rule in the encryption rule data store 140 that matches the received data message's attributes.
  • the encryption rules have rule identifiers that are defined in terms of one or more of non-contextual attributes (e.g., five-tuple attributes, logical attributes, etc.) and/or one or more contextual attributes, such as application name, application version, user ID, group ID, AppID, threat level, resource consumption level, etc.
  • the process in some examples compares contextual attributes and/or other attributes (e.g., five-tuple identifier) of the received data message with the rule identifiers (e.g., rule identifiers 1505) of the encryption rules to identify the highest priority rule that has an identifier that matches the message's attribute set.
  • contextual attributes and/or other attributes e.g., five-tuple identifier
  • rule identifiers e.g., rule identifiers 1505
  • the process determines (at 1630) whether it identified an encryption rule that specifies that the received data message should be encrypted.
  • the encryption rule data store 140 has a default encryption rule that matches all data message, and is returned when no other encryption rule matches a received data message.
  • the default encryption rule in some examples specifies that the received data message should not be encrypted (e.g., specifies a default key identifier that corresponds to a no-encryption operation).
  • the process 1600 determines (at 1630) that the data message should not be encrypted, the process sends (at 1635) the message unencrypted along the message's datapath.
  • This operation 1630 entails informing its SFE port 260 that it has completed processing the data message.
  • the process transitions to 1645, where in the connection state cache storage 225, it creates a record to indicate that no encryption should be performed for the received data message flow. In some examples, this record is addressed in the connection state cache 225 based on the five-tuple identifier of this flow. After 1645, the process ends.
  • the process determines (at 1630) that the data message should be encrypted, the process then (at 1640) retrieves a key identifier from the identified rule, uses this identifier to retrieve a key from a local or remote key data store or manager, as described above, and encrypts the received data message with the retrieved key.
  • This encryption of the data message is identical to the encryption operation 1615 that was above described.
  • the process 1600 encrypts the data message's payload (e.g., the L2 payload) by using the identified encryption key, while performing ICV operation on the payload and some or all of the header values (e.g., the physical L3 and L4 header values, logical L2 or L3 header values, and/or the logical network identifiers, such as VNIs and VDRIs).
  • the encryption process 1600 in some examples also encrypts (at 1640) some or all of the data message's header.
  • the process sends (at 1635) the encrypted data message along its datapath.
  • this operation entails returning a communication to the SFE port 260 to let the port know that the encryptor is done with its processing of the data message.
  • the SFE port 260 can then handoff the data message to the SFE 210 or can call another I/O chain operator to perform another operation on the data message.
  • the encryptor has to make sure (at 1640) that the key identifier for the key that is used to encrypt the data message is included in the data message header before it is sent.
  • the process 1600 accomplishes this goal differently in different examples.
  • the process 1600 passes (at 1640) the key identifier to the SFE port 260 (that called it) so that the port or an I/O chain operator that it calls can insert the key identifier in the data message header.
  • one service engine e.g., another I/O chain operator
  • the SFE port 260 passes the key identifier that it receives from the process 1600 to this service engine so that it can include this key identifier in its header.
  • the process 1600 does not pass a key identifier to the SFE port and this port does not have another service engine encapsulate a key identifier in the overlay network's tunnel header.
  • the SFE port 260 simply has the service engine include in the overlay network's tunnel header an indication that the data message is encrypted.
  • a decryptor e.g., an encryption engine 124 executing on the host with the destination DCN can identify the correct key to use to decrypt the data message based on preconfigured information (e.g., a whitebox solution that allows the decryptor to pick the correct key based on a prior key specified for communicating with the source DCN, or based on header values of the data message flow), or based on out-of-band communication with a controller or a module on the source host regarding the appropriate key to use.
  • preconfigured information e.g., a whitebox solution that allows the decryptor to pick the correct key based on a prior key specified for communicating with the source DCN, or based on header values of the data message flow
  • connection state cache storage 225 After 1640, the process transitions to 1645, where in the connection state cache storage 225, it creates a record to store the encryption rule identified at 1625, a reference to this encryption rule, the key identifier specified in this encryption rule, and/or the retrieved key specified by this key identifier. As mentioned above, this cached record has a record identifier that in some examples includes the received data message's identifier (e.g., five-tuple identifier). After 1645, the process ends.
  • Figure 17 illustrates a process 1700 that an encryption engine 124 performs to decrypt an encrypted data message that an SFE port 260 or 265 receives on a destination host that executes the destination VM of the data message.
  • This encryption engine is referred to as the decryptor below.
  • the decryptor performs this operation when its corresponding SFE port calls the decryptor to check whether a received data message is encrypted, and if so, to decrypt this message.
  • the SFE port calls the encryption engine 124 when the SFE port determines that the received data message is encrypted. For instance, in some examples, the data message is sent to the destination host along a tunnel, and the header for this tunnel has an identifier that specifies that the data message is encrypted. In some examples, the decryptor performs this process only if the header value of the received data message does not specify a key identifier that identifies a key for decrypting the data message. When the header value does specify such a key identifier, the decryptor uses a decryption process 1800 of Figure 18 , which will be described below.
  • the received data message has a value (e.g., a bit) that specifies whether the message is encrypted. By analyzing this value, the decryptor will know whether the message is encrypted. When this value specifies that the message is not encrypted, the decryptor does not call either the process 1700 or 1800 to decrypt the encrypted message. Instead, the decryptor informs the SFE port that it can send the data message along its datapath.
  • a value e.g., a bit
  • the process 1700 initially identifies (at 1705) a set of message attributes that the process uses to identify an encryption rule that is applicable to the received data message.
  • the message-attribute set that is used to retrieve the rule can be different.
  • this message-attribute set includes the received data message's five-tuple identifier.
  • this message-attribute set also includes the logical network identifier associated with the received data message.
  • the decryptor determines (at 1710) whether its encryption state cache 225 stores a cached encryption rule for the message attribute set identified at 1705. Like an encryptor, each time a decryptor finds an encryption rule for a data message in some examples, it stores the encryption rule, a reference to the encryption rule, this rule's key identifier or this rule's key in the connection state cache 225, so that when it receives another data message with the same identified message-attribute set (e.g., when it received another data message that is part of the same data flow as the original data message), the decryptor does not have to search the encryption rule data store(s) to identify an encryption rule for the subsequently received data message.
  • the decryptor does not have to search the encryption rule data store(s) to identify an encryption rule for the subsequently received data message.
  • connection state cache 225 stores the encryption rules based on five-tuple identifiers of the data messages. Accordingly, before searching the encryption rule data store 140, the decryptor in some examples first determines whether the connection state cache 225 stores a matching cached record for the received data message.
  • the process 1700 identifies (at 1710) matching cached record for the received data message in the connection state cache 225
  • the process uses this record to identify a key, which it then uses to decrypts the encrypted portion of the received data message.
  • the cached record includes the key
  • this record includes the key identifier or the rule or a reference to the rule, which contains the key identifier.
  • the process uses the key identifier in the cached record or in the stored or referenced rule to retrieve a key from a local or remote key data store or manager, and then decrypts the encrypted portion of the received data message with the retrieved key.
  • part of the decryption operation is to authenticate the ICV generated hash of the data message header and payload. Specifically, when a portion of the received data message (e.g., its physical (e.g., L3 or L4) header values, or its logical (e.g., VNI) header values) is hashed along with the payload through an ICV operation by the encryptor, the decryption operation verifies this portion to validate the authenticity and integrity of the encrypted data message.
  • a portion of the received data message e.g., its physical (e.g., L3 or L4) header values, or its logical (e.g., VNI) header values
  • the process (at 1715) sends the decrypted data message along its datapath.
  • this operation entails returning a communication to the SFE port (that called the decryptor to initiate the process 1700) to let the port know that the decryptor is done with its processing of the data message.
  • the SFE port can then allow the data message to reach the destination VM or can call another I/O chain operator to perform another operation on the data message.
  • the process 1700 ends.
  • the process 1700 searches (at 1720) the encryption rule data store 140 to identify an encryption rule for the received data message.
  • the destination host receives an out-of-band communication from the source host (directly or through a controller set) that provides data from which the destination host can identify a key identifier, or an encryption rule with the key identifier, for decrypting the encrypted data message.
  • the out-of-band communication includes the identifier (e.g., five-tuple identifier) for the data message.
  • the encryption engine 124 on the destination host identifies the correct key to use to decrypt the data message based on preconfigured information.
  • the encryption engines 124 on source and destination hosts use a whitebox solution (1) that steps through encryption keys according to a preconfigured scheme, or (2) that selects encryption keys based on attributes (e.g., five-tuple identifiers) of the data messages.
  • the whitebox scheme ensures that the encryption engine at the destination host's encryptor 124 can select the same encryption key for decrypting the received data message as the source host's encryptor 124 used to encrypt the data message.
  • the process 1700 in some examples initiates an error handling process to resolve the unavailability of a decryption key for decrypting the encrypted message.
  • This error handling process in some examples queries a network agent to determine whether it or the controller set stores an encryption rule for the message attribute set identified at 1705. When the agent has such an encryption rule, it provides it to the process (at 1720). However, in other examples, the error handling process does not contact the network agent to obtain the key. Instead, it just flags this issue for an administrator to resolve.
  • the process uses the key identifier to retrieve a key from a local or remote key data store or manager, and decrypts the received data message with the retrieved key.
  • part of the decryption operation is to authenticate an ICV generated hash of the data message header and payload.
  • the decryption operation verifies this portion to validate the authenticity and integrity of the encrypted data message.
  • a portion of the received data message e.g., its physical (e.g., L3 or L4) header values, or its logical (e.g., VNI) header values
  • the decryption operation verifies this portion to validate the authenticity and integrity of the encrypted data message.
  • the process After decrypting the data message, the process (at 1725) sends the decrypted data message along its datapath.
  • this operation entails returning a communication to the SFE port (that called the decryptor to initiate the process 1700) to let the port know that the decryptor is done with its processing of the data message.
  • the SFE port can then allow the data message to reach the destination VM or can call another I/O chain operator to perform another operation on the data message.
  • connection state cache storage 225 After 1725, the process transitions to 1730, where in the connection state cache storage 225, it creates a record to specify that decryption key, or the identifier to this key, that should be used to decrypt data messages with message-attribute sets that are similar to the set identified at 1705 (e.g., to decrypt data messages that are part of the same flow as the received data message). In some examples, this record is addressed in the connection state cache cache 225 based on the five-tuple identifier of the received data message. After 1730, the process ends.
  • the header value (e.g., the tunnel header) of the received encrypted data message stores a key identifier that identifies a key for decrypting the data message.
  • the encryption engine 124 on a host device then performs its decryption operation by using the key identified by the key identifier.
  • Figure 18 illustrates a process 1800 that the encryption engine 124 performs to decrypt an encrypted data message that includes the key identifier in its header.
  • a decryptor in the encryption engine 124 performs this operation when its corresponding SFE port 260 or 265 calls the decryptor to check whether a received data message is encrypted, and if so, to decrypt this message.
  • the decryptor performs this process only if the header value of the received data message specifies a key identifier that identifies a key for decrypting the data message.
  • the process 1800 initially extracts (at 1805) the key identifier from the received data message.
  • the process uses (at 1810) the key identifier to retrieve a key from a local key data store/manager on the destination host or a remote key data store/manager not on the destination host, and then uses (at 1815) this key to decrypt the received data message.
  • part of the decryption operation is to authenticate the ICV generated hash (of the received data message's header and payload) that is encrypted with the payload of the data message.
  • the process 1800 stores in the cache data store 225 the key so that it does not need to identify this key for other data messages in the same data message flow as the received data message.
  • the process sends (at 1820) the decrypted data message along its datapath.
  • this operation entails returning a communication to the SFE port (that called the decryptor to initiate the process 1800) to let the port know that the decryptor is done with its processing of the data message.
  • the SFE port can then allow the data message to reach the destination VM or can call another I/O chain operator to perform another operation on the data message.
  • the process 1800 ends.
  • the context-based encryptor 124 can distribute the data message flows based on any number of contextual attributes.
  • examples of such encryption operations include: (1) encrypt all traffic from Outlook (started on any machine) to Exchange Server, (2) encrypt all communication between applications in a three tier Webserver, Application Server and Database Server, (3) encrypt all traffic originating from the Administrators Active Directory group, etc.
  • the management servers in some examples interact with the discovery engines 120 executing on the hosts 200 in a data center to obtain and refresh inventory of all processes and services that are running on the VMs on the hosts.
  • the management plane in some examples then provides a rule creation interface for allowing administrators to create context-based encryption rules and/or policies for the encryption engines 124 (as well as service rules for the other service engines 130).
  • the rule creation interface allows the administrators to define high-level encryption policies (and other service policies) based on applications inventoried through the data collected by the discovery engines 120, and contextual attributes collected by the context engines 110 and by the management plane's interface with other management server clusters.
  • the management plane directly supplies some or all of these policies to the management proxies (not shown) on the hosts 200, and/or indirectly supplies some or all of these policies to these proxies through a set of controllers (e.g., network controllers).
  • the management proxies publish the received policies as rules to the context-based service rule storages 140.
  • the proxies transform these policies before publishing them to the context-based service rule storages 140. For instance, in some examples, the policies are published with AppliedTo tuples that identify the service nodes and/or logical networks to which they are associated.
  • the management proxies on the hosts remove the AppliedTo tuple from each service policy, before pushing the policy as a service rule to the service rule storage 140.
  • the context engines 110 on the hosts 200 in some examples resolve the policies based on collected contextual attributes, in order to generate rules for the service engines.
  • the process control (PC) engine 122 is a context-based PC engine that performs its PC operations based on PC rules that can be specified in terms of contextual attributes.
  • Figure 19 illustrates several examples of such PC rules.
  • This figure illustrates a PC rule data store 140 of some examples.
  • each PC rule includes a rule identifier 1905 and a PC action 1910.
  • a PC action 1910 can be (1) Allow, (2) Stop and Disallow, or (3) Stop and Terminate.
  • Each rule identifier 1905 specifies one or more data tuples that can be used to identify a rule that matches a data message flow.
  • a rule identifier can include contextual attributes, such as AppID, application name, application version, user ID, group ID, threat level, resource consumption, etc.
  • a PC engine searches a PC data storage by comparing one or more message attributes (e.g., contextual attributes) with the rule identifiers 1905 to identify the highest priority rule with a matching rule identifier.
  • the rule identifier 1905 can also include L2-L4 parameters (e.g., five tuple identifiers) associated with data message flows, and the PC engine performs its PC operations on a per flow basis.
  • the PC engine 122 only performs its PC operations for process events, and leaves it to the firewall engine 128 to perform PC operations on a per flow basis. Accordingly, in some examples, the rule identifiers 1905 of the PC rules for the PC engine do not include any L2-L4 parameters.
  • different PC engines 122 on different hosts enforce the same set of PC rules. For instance, in some examples, different PC engines 122 process the same PC rules on different hosts for VMs of one logical network in order to provide a level of security on the processes running on these VMs. For this logical network, these PC engines 122 collectively form a distributed PC engine (i.e., a single, conceptual logical PC engine) that spans across the multiple hosts.
  • a distributed PC engine i.e., a single, conceptual logical PC engine
  • Figure 19 illustrates three detailed examples of the context-based PC rules of some examples.
  • the first rule 1920 specifies that Skype Version 1024 should be Stopped and Disallowed.
  • each time the PC engine 122 identifies a new process event it identifies the event's contextual attributes by interacting with the context engine or by examining the records in its attribute-mapping storage 223 to identify a record that specifies the contextual attributes for the process identifier.
  • the second rule 1925 specifies that all processes that have a High threat level should be Stopped and Disallowed.
  • the context engine 110 or service engines 130 can interact with threat detector 132 to assess the threat level associated with a process.
  • the threat detector generates a threat score, which the context engine, PC engine, or the other service engines quantize into one of several categories. For example, in some examples, the threat detector produces a threat score from 0 to 100, and one of the engines 110 or 130, designates scores between 0 and 33 to be a low threat level, designates scores between 34 and 66 to be a medium threat level, and designates scores between 67 and 100 to be a high threat level.
  • the third rule 1930 specifies that all processes that generate YouTube traffic should be Stopped and Terminated.
  • this rule is enforced by the PC engine, while in other examples, a similar rule is enforced by the firewall engine.
  • the firewall engine enforces such a rule, it enforces this rule on a per flow basis and its action is to drop packets associated with this flow.
  • the PC engine can enforce this rule when checking a process event, or when it is called by the SFE port 260 to perform a PC check on a particular flow.
  • Figure 20 illustrates a process 2000 that the PC engine 122 performs in some examples.
  • the process 2000 starts when the PC engine receives (at 2005) a process identifier from the context engine 110.
  • the context engine relays this process ID when it receives a process notification from the GI agent 250 on a VM 205.
  • the process 2000 determines (at 2010) whether the connection state cache 225 stores a record that identifies a PC action for the received process ID.
  • the PC engine in some examples creates a record in the connection state cache 225 to store the PC action performed so that it can subsequently rely on this cache for faster processing of the same process identifier.
  • each cached record in the connection state cache 225 has a record identifier that is defined in terms of process identifier. In these examples, the process compares the received identifier with the record identifiers of the cached records to identify any record with a record identifier that matches the received process identifier.
  • the process 2000 identifies (at 2010) a record for the received process event in the connection state cache 225, the process (at 2015) then performs the PC action specified in this record.
  • this operation is a disallowance or a termination
  • the PC engine directs the context engine 110 to disallow or terminate the process.
  • the context engine 110 directs the GI agent that reported the event to disallow or terminate the process.
  • the GI agent then directs the process subsystem of the OS to disallow or terminate the process.
  • the process 2000 ends.
  • the process 2000 determines (at 2010) that the connection state cache 225 does not store a record for the received process identifier
  • the process 2000 identifies (at 2020) one or more contextual attributes for this process identifier.
  • the service engines of different examples perform this operation differently.
  • the PC engine directs the context engine to collect additional process attributes for the received process event and the context engine collects this information by interacting with the GI agent.
  • the process 2000 uses this attribute set to identify (at 2025) a PC rule in the PC rule data store 140.
  • the PC rules have rule identifiers 1505 that are defined in terms of one or more contextual attributes, such as application name, application version, user ID, group ID, AppID, threat level, resource consumption level, etc.
  • the process in some examples compares the collected contextual attributes with the rule identifiers (e.g., rule identifiers 1905) of the PC rules to identify the highest priority rule that has an identifier that matches the collected attribute set.
  • the process When the process identifies a PC rule (at 2025), it performs the PC action (e.g., Allow, Stop and Disallow, Stop and Terminate, etc.) of this rule on the received process event.
  • the PC engine directs the context engine 110 to disallow or terminate the process.
  • the context engine 110 directs the GI agent that reported the event to disallow or terminate the process.
  • the GI agent then directs the process subsystem of the OS to disallow or terminate the process.
  • the process After performing the PC action at 2030, the process creates (at 2035) a record in the connection state cache storage 225. This record identifies the PC action for the received process event. After 2035, the process ends.
  • the management servers in some examples interact with the discovery engines 120 executing on the hosts 200 in a data center to obtain and refresh inventory of all processes and services that are running on the VMs on the hosts.
  • the management plane in some examples then provides a rule creation interface for allowing administrators to create context-based PC rules and/or policies for the PC engines 122 (as well as service rules for the other service engines 130).
  • the rule creation interface allows the administrators to define high-level PC policies (and other service policies) based on applications inventoried through the data collected by the discovery engines 120, and contextual attributes collected by the context engines 110 and by the management plane's interface with other management server clusters.
  • the management plane directly supplies some or all of these policies to the management proxies (not shown) on the hosts 200, and/or indirectly supplies some or all of these policies to these proxies through a set of controllers (e.g., network controllers).
  • the management proxies publish the received policies as rules to the context-based service rule storages 140.
  • the proxies transform these policies before publishing them to the context-based service rule storages 140.
  • the context engines 110 on the hosts 200 in some examples resolve the policies based on collected contextual attributes, in order to generate rules for the service engines.
  • Figure 21 illustrates an example of how the service engines 130 are managed in some examples.
  • This figure illustrates multiple hosts 200 in a datacenter.
  • each host includes several service engines 130, a context engine 110, a threat detector 132, a DPI module 135, several VMs 205, and an SFE 210. It also illustrates a set of controllers 2110 for managing the service engines 130, VMs 205, and SFEs 210.
  • the context engines 110 in some examples collect contextual attributes that are passed to the management servers in the controller set through a network 2150 (e.g., through a local area network, a wide area network, a network of networks (such as the Internet), etc.).
  • the controller set provides a user interface for the administrators to define context-based service rules in terms of these collected contextual attributes, and communicates with the hosts through the network 2150 to provide these policies.
  • the hosts also communicatively connect to each other through this network 2150.
  • Computer readable storage medium also referred to as computer readable medium.
  • processing unit(s) e.g., one or more processors, cores of processors, or other processing units
  • processing unit(s) e.g., one or more processors, cores of processors, or other processing units
  • Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc.
  • the computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.
  • the term "software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor.
  • multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions.
  • multiple software inventions can also be implemented as separate programs.
  • any combination of separate programs that together implement a software invention described here is within the scope of the invention.
  • the software programs when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.
  • Figure 22 conceptually illustrates a computer system 2200 with which some examples of the invention are implemented.
  • the computer system 2200 can be used to implement any of the above-described hosts, controllers, and managers. As such, it can be used to execute any of the above described processes.
  • This computer system includes various types of non-transitory machine readable media and interfaces for various other types of machine readable media.
  • Computer system 2200 includes a bus 2205, processing unit(s) 2210, a system memory 2225, a read-only memory 2230, a permanent storage device 2235, input devices 2240, and output devices 2245.
  • the bus 2205 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 2200.
  • the bus 2205 communicatively connects the processing unit(s) 2210 with the read-only memory 2230, the system memory 2225, and the permanent storage device 2235.
  • the processing unit(s) 2210 retrieve instructions to execute and data to process in order to execute the processes of the invention.
  • the processing unit(s) may be a single processor or a multi-core processor in different examples.
  • the read-only-memory (ROM) 2230 stores static data and instructions that are needed by the processing unit(s) 2210 and other modules of the computer system.
  • the permanent storage device 2235 is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the computer system 2200 is off. Some examples of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 2235.
  • the system memory 2225 is a read-and-write memory device. However, unlike storage device 2235, the system memory is a volatile read-and-write memory, such a random access memory.
  • the system memory stores some of the instructions and data that the processor needs at runtime.
  • the invention's processes are stored in the system memory 2225, the permanent storage device 2235, and/or the read-only memory 2230. From these various memory units, the processing unit(s) 2210 retrieve instructions to execute and data to process in order to execute the processes of some examples.
  • the bus 2205 also connects to the input and output devices 2240 and 2245.
  • the input devices enable the user to communicate information and select commands to the computer system.
  • the input devices 2240 include alphanumeric keyboards and pointing devices (also called “cursor control devices").
  • the output devices 2245 display images generated by the computer system.
  • the output devices include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some examples include devices such as a touchscreen that function as both input and output devices.
  • bus 2205 also couples computer system 2200 to a network 2265 through a network adapter (not shown).
  • the computer can be a part of a network of computers (such as a local area network (“LAN”), a wide area network (“WAN”), or an Intranet, or a network of networks, such as the Internet. Any or all components of computer system 2200 may be used in conjunction with the invention.
  • Some examples include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media).
  • Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray ® discs, ultra-density optical discs, any other optical or magnetic media, and floppy disks.
  • the computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations.
  • Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • integrated circuits execute instructions that are stored on the circuit itself.
  • the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people.
  • display or displaying means displaying on an electronic device.
  • the terms “computer readable medium,” “computer readable media,” and “machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP17825331.6A 2016-12-22 2017-12-10 Collecting and processing context attributes on a host Active EP3542266B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP23179615.2A EP4231146A1 (en) 2016-12-22 2017-12-10 Collecting and processing context attributes on a host

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US201662438379P 2016-12-22 2016-12-22
US15/650,294 US10802858B2 (en) 2016-12-22 2017-07-14 Collecting and processing contextual attributes on a host
US15/650,340 US10503536B2 (en) 2016-12-22 2017-07-14 Collecting and storing threat level indicators for service rule processing
US15/650,251 US10802857B2 (en) 2016-12-22 2017-07-14 Collecting and processing contextual attributes on a host
IN201741026365 2017-07-25
US15/796,875 US10805332B2 (en) 2017-07-25 2017-10-30 Context engine model
PCT/US2017/065495 WO2018118465A1 (en) 2016-12-22 2017-12-10 Collecting and processing context attributes on a host

Related Child Applications (1)

Application Number Title Priority Date Filing Date
EP23179615.2A Division EP4231146A1 (en) 2016-12-22 2017-12-10 Collecting and processing context attributes on a host

Publications (2)

Publication Number Publication Date
EP3542266A1 EP3542266A1 (en) 2019-09-25
EP3542266B1 true EP3542266B1 (en) 2023-06-28

Family

ID=67057485

Family Applications (2)

Application Number Title Priority Date Filing Date
EP23179615.2A Pending EP4231146A1 (en) 2016-12-22 2017-12-10 Collecting and processing context attributes on a host
EP17825331.6A Active EP3542266B1 (en) 2016-12-22 2017-12-10 Collecting and processing context attributes on a host

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP23179615.2A Pending EP4231146A1 (en) 2016-12-22 2017-12-10 Collecting and processing context attributes on a host

Country Status (5)

Country Link
EP (2) EP4231146A1 (zh)
JP (3) JP6937372B2 (zh)
CN (2) CN116938564A (zh)
AU (2) AU2017378718B2 (zh)
CA (2) CA3047393C (zh)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10802857B2 (en) 2016-12-22 2020-10-13 Nicira, Inc. Collecting and processing contextual attributes on a host
US10805332B2 (en) 2017-07-25 2020-10-13 Nicira, Inc. Context engine model
EP3796167B1 (en) * 2019-09-23 2023-05-03 SAS Institute Inc. Router management by an event stream processing cluster manager
CN112583625B (zh) * 2019-09-30 2023-12-08 中兴通讯股份有限公司 网络资源管理方法、系统、网络设备和可读存储介质
CN112367336B (zh) * 2020-11-26 2022-09-02 杭州安恒信息技术股份有限公司 webshell拦截检测方法、装置、设备及可读存储介质
CN113079180B (zh) * 2021-04-20 2023-03-10 成都安恒信息技术有限公司 一种基于执行上下文的防火墙细粒度访问控制方法及系统
JP2023063811A (ja) * 2021-10-25 2023-05-10 ジェイズ・コミュニケーション株式会社 アクセス制御システム
CN117354368B (zh) * 2023-12-05 2024-09-27 北京轻网科技股份有限公司 七层代理下客户端信息透传方法、装置、设备及存储介质

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL166717A0 (en) * 2002-08-26 2006-01-15 Computer Ass Think Inc Web services apparatus and methods
US9235705B2 (en) * 2008-05-19 2016-01-12 Wontok, Inc. Secure virtualization system software
US9274851B2 (en) * 2009-11-25 2016-03-01 Brocade Communications Systems, Inc. Core-trunking across cores on physically separated processors allocated to a virtual machine based on configuration information including context information for virtual machines
US20120124126A1 (en) * 2010-11-17 2012-05-17 Microsoft Corporation Contextual and task focused computing
US9866475B2 (en) * 2012-06-15 2018-01-09 Citrix Systems, Inc. Systems and methods for forwarding traffic in a cluster network
EP2956883B1 (en) 2013-02-14 2017-03-22 VMware, Inc. Method and apparatus for application awareness in a network
US9413667B2 (en) * 2013-02-15 2016-08-09 Telefonaktiebolaget Lm Ericsson (Publ) Methods and network nodes for traffic steering based on per-flow policies
WO2014168936A1 (en) * 2013-04-10 2014-10-16 Ho Lap-Wah Lawrence Method and apparatus for processing composite web transactions
US9582297B2 (en) * 2013-05-16 2017-02-28 Vmware, Inc. Policy-based data placement in a virtualized computing environment
US9444675B2 (en) * 2013-06-07 2016-09-13 Cisco Technology, Inc. Determining the operations performed along a service path/service chain
EP2813945A1 (en) * 2013-06-14 2014-12-17 Tocario GmbH Method and system for enabling access of a client device to a remote desktop
EP3011713B1 (en) * 2013-06-20 2018-05-16 CensorNet A/S Method and system protecting against identity theft or replication abuse
US9548965B2 (en) 2013-08-26 2017-01-17 Nicira, Inc. Proxy methods for suppressing broadcast traffic in a network
US9621568B2 (en) * 2014-02-11 2017-04-11 Varmour Networks, Inc. Systems and methods for distributed threat detection in a computer network
US10747888B2 (en) * 2014-06-30 2020-08-18 Nicira, Inc. Method and apparatus for differently encrypting data messages for different logical networks
US20160065456A1 (en) * 2014-09-03 2016-03-03 Alcatel Lucent System and method providing service chaining in a mobile network
EP3561672B1 (en) * 2015-04-07 2022-06-01 Huawei Technologies Co., Ltd. Method and apparatus for a mobile device based cluster computing infrastructure
CN105630512A (zh) * 2016-02-17 2016-06-01 北京高绎信息技术有限公司 通过软件开发工具包实现移动设备数据跟踪的方法及系统

Also Published As

Publication number Publication date
JP2020506459A (ja) 2020-02-27
AU2017378718B2 (en) 2021-01-28
JP2022003527A (ja) 2022-01-11
AU2021202517B2 (en) 2023-02-16
JP7320572B2 (ja) 2023-08-03
CA3130844A1 (en) 2018-06-28
CN110226155B (zh) 2023-07-18
CN110226155A (zh) 2019-09-10
CN116938564A (zh) 2023-10-24
JP6937372B2 (ja) 2021-09-22
JP2023159072A (ja) 2023-10-31
EP3542266A1 (en) 2019-09-25
CA3047393A1 (en) 2018-06-28
EP4231146A1 (en) 2023-08-23
CA3047393C (en) 2021-11-09
AU2017378718A1 (en) 2019-07-11
CA3130844C (en) 2023-11-28
AU2021202517A1 (en) 2021-05-20

Similar Documents

Publication Publication Date Title
US11327784B2 (en) Collecting and processing contextual attributes on a host
US10805332B2 (en) Context engine model
US10778651B2 (en) Performing context-rich attribute-based encryption on a host
US11032246B2 (en) Context based firewall services for data message flows for multiple concurrent users on one machine
US10812451B2 (en) Performing appID based firewall services on a host
US10803173B2 (en) Performing context-rich attribute-based process control services on a host
US10581960B2 (en) Performing context-rich attribute-based load balancing on a host
WO2018118465A1 (en) Collecting and processing context attributes on a host
AU2021202517B2 (en) Collecting and processing context attributes on a host
US11184327B2 (en) Context aware middlebox services at datacenter edges
US10999220B2 (en) Context aware middlebox services at datacenter edge
US20230229771A1 (en) Prevent network spread of malware by restricting it to one patient only
US11995038B2 (en) Data criticality-based network policy creation and consumption

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20190620

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20211007

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 9/455 20180101AFI20221216BHEP

INTG Intention to grant announced

Effective date: 20230116

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1583312

Country of ref document: AT

Kind code of ref document: T

Effective date: 20230715

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602017070758

Country of ref document: DE

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230928

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20230628

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1583312

Country of ref document: AT

Kind code of ref document: T

Effective date: 20230628

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230929

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230929

Year of fee payment: 7

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20231019

Year of fee payment: 7

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231028

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231030

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20231028

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20231017

Year of fee payment: 7

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602017070758

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

26N No opposition filed

Effective date: 20240402

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20231210

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20231231

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20230628

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20231210

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20231210

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20231231